The Spam Diaries

News and musings about the fight against spam.
 by Edward Falk

Monday, February 27, 2006

New host cloaking technique used by spammers

As reported in news.admin.net-abuse.usenet the other day, spammers have used a technique we haven't seen before to hide their servers.

(Correction: I hadn't seen it before. Apparently it's been around for years.)

A bit of background: Spammers learned long ago to send their spam from different service providers than the ones hosting their web pages. The idea is that the service provider hosting the web page won't terminate for spam sent from a different provider (see haven spam). However, over the years, service providers have become educated on the issues of haven spam and will now terminate web sites which are advertised via spam. For this reason, spammers take extra steps to hide their web sites. The most common method is via a click-through page hosted on another throw-away account. The bottom line here is that spammers very much want to hide the location of their web sites to prevent their disconnection.

So this brings us today to a new technique reported by Stephen Satchell of satchell.net last Thursday. It reads almost like a mystery novel, involving cloaking, promiscuous interfaces, stolen IP addresses, and tunneling. It gets a little tricky, so follow the bouncing ball:
  • The spammer obtains a dedicated server at the victim service provider. The server shares a subnet with other customers.
  • The spammer runs a special daemon program on the dedicated server. The daemon places the network interface into "promiscuous mode" so that it will snoop on all network packets, spying on the local subnet.
  • The daemon determines which IP addresses on the local subnet are not in use. It also determines the addresses of the network routers. One or more unused IP addresses are commandeered for use by the spammer.
  • ARP (Address Resolution Protocol) responses are sent from the daemon to the routers, binding the unused IP addresses to the server. This allows the spammer's server to "steal" those IP addresses. The daemon does not answer ARP requests from any other source, so the stolen IP addresses remain invisible to all other systems and diagnostic equipment.
  • Finally, GRE and IPIP tunneling (a method used to connect two private networks together) is used to connect the stolen IP addresses to the spammer's real servers hosted elsewhere.
The end result is that the spammer has created a server at an IP address which not even the owners of the network are aware of.

There are a number of ways you can protect your own network from from this exploit:
  • Give each customer their own subnet.
  • Null-route unused IP addresses in your network space, or otherwise make sure that there's a legitimate server somewhere that will claim them.
  • Monitor your local network for interfaces transmitting ARP responses they shouldn't be.

Update: See the comments for a minor correction from Stephen Satchell. The perp server doesn't wait for ARP requests from the gateway routers, but preemptively sends ARP responses.

Update (June 2006): Other suggestions: Seth Breidbart informs me that tcptraceroute to port 80 should at least find the approximate location of the machine.

See the comments for other suggestions sent in by readers.

5 Comments:

Anonymous Stephen Satchell said...

Just a minor correction. The perp server sends unrequested ARP responses to only the gateway routers, so that the routers never have to ask for a layer-3 to layer-2 association -- it's alway in the ARP cache of the routers. Nobody else sees this traffic in an EtherSwitch fabric, so ARPWATCH and its kin are defeated. Pings and traceroutes also fail with "host unreachable."

The daemon then only has to watch on the NIC, in promiscuous mode, for TCP packets to the hijacked address on port 80, and pass them down the tunnel to the remote Web server.

3:31 PM  
Blogger Spam Diaries said...

Great, thanks. I'll edit the post. --ef

6:27 PM  
Anonymous P. Regnauld said...

IP accounting on the edge or core will show this immediately. Moreover, if the edge swiches hardcode mac addresses as is the case in some (but not all) colocations, you don't have this problem. Also, tracking allocated IPs by customer would avoid this. i.e: like most techniques of this type, they will work in shoddy hosting environments.

7:29 AM  
Anonymous Anonymous said...

Ok, I got it, the problem is well described. Now... what can I do to fight them?

7:41 AM  
Anonymous Shyamsundar said...

Excellent idea.The idea is that the service provider hosting the web page won't terminate for spam sent from a different provider . However, over the years, service providers have become educated on the issues of haven spam and will now terminate web sites which are advertised via spam.yeast infection

1:35 AM  

Post a Comment

Links to this post:

Create a Link

<< Home