Spam fighters call for "parking tickets" on unsafe servers

27 Nov 2013
Spam

Anyone running an insecure server should face a fine, according to leading anti-spam outfit

Anti-spam outfit, Spamhaus, has called on the UK government to fine those who are running internet infrastructure that could be exploited by criminals.

Spamhaus was hit by what's been described as the "biggest ever" cyber-attack earlier this year.

The fines would be akin to parking tickets, chief information officer of Spamhaus, Richard Cox, told PC Pro. Speaking from the Cyber Security Summit in London, which was attended by members of UK law enforcement and government, Cox said it should be illegal for people to leave servers unsecured, since that would allow crooks to use them as part of their attack infrastructure.

If we introduce a sensible law, it’s quite likely other countries will copy us

In Cox’s eyes, those who leave open Domain Name Server (DNS) resolvers vulnerable to attack should be fined, if they have previously received a warning. When Spamhaus was hit by a massive distributed denial of service (DDoS) attack – the biggest ever recorded at more than 300Gbits/sec – open DNS resolvers were used to amplify the hit, which was aimed at one of the organisation’s upstream partners.

"Once they know it can be used for attacks and fraud, that should be an offence," Cox said. "You should be subject to something like a parking ticket... where the fine is greater than the cost of fixing it.

"If we introduce a sensible law, it’s quite likely other countries will follow."

That would give people an incentive to adopt a more proactive approach, rather than a reactive one, as is the case now. "If somebody walks into a government building carrying a machine gun, you stop them before they fire," he added.

Not that Cox believes government policy makers will do anything about it. "The people who make the laws don’t understand the mechanisms," he said.

Cox was frustrated that, before he could make his case to officials at the Cyber Security Summit – including head of the new National Cyber Crime Unit, Andy Archibald, and head of the Office of Cyber Security, James Quinault – they had left straight after their keynotes.

Another flawed proposal?

Numerous proposals to police threats on the internet have been proposed in the past, none of which have come to fruition. Microsoft’s Scott Charney caused a stir in 2010 when he suggested infected machines should be quarantined from the web. Others have suggested something like a driving licence, where irresponsible users are given points before being banned for repeated bad behaviour.

Professor Alan Woodward, from the Department of Computing at University of Surrey, said Cox’s proposal was novel, but implementing it would be an onerous task.

"There is a danger that you could have some well-meaning governments putting in place appropriate regulation and legislation to support such an idea, only to find others haven’t. It would work only if there were a majority of earthly jurisdictions that cooperated in some way," he told PC Pro.

Woodward said government could be more proactive about notifying people. "That could be a useful service that government agencies could provide, not to penalise but to alert those running vulnerable servers. If anything this would be useful because it would add to the collective responsibility that is needed to successfully run the internet safely."

Read more

News