Keeping the internet safe may sometimes feel like a game of Whac-A-Mole, reacting to attacks as they arise, then moving on to the next. In reality, though, it’s an ongoing process that involves not just identifying threats but grabbing and retaining control of the infrastructure behind them. For years a small nonprofit called Shadowserver has quietly carried out a surprisingly large portion of that work. But now the organization faces permanent extinction in a matter of weeks.
There’s a pivotal scene in Ghostbusters in which Environmental Protection Agency inspector Walter Peck marches into the group’s headquarters, armed with a cease and desist order. “Shut this off,” Peck tells the utility worker accompanying him. “Shut this all off.” They cut power to the Ghostbusters’ protection grid, and all the ghosts are released. Think of Shadowserver as the internet’s protection grid.
“Something similar will take place on a digital basis if Shadowserver were to close up shop,” says Roland Dobbins, principal engineer of Netscout Arbor. “The work they do in conjunction with network operators, security researchers, law enforcement, and technology vendors is a mainstay of internet security work today.”
For more than 15 years, Shadowserver has been funded by Cisco as an independent organization. But thanks to budget restructuring, the group now has to go out on its own. Rather than seek a new benefactor, founder Richard Perlotto says the goal is for Shadowserver to become a fully community-funded alliance that doesn’t rely on any one contributor to survive. The group needs to raise $400,000 in the next few weeks to survive the transition, and then it will still need $1.7 million more to make it through 2020—an already Herculean fundraising effort coinciding with a global pandemic. They’ve set up a page for both large corporate donations and smaller individual contributions.
It’s hard to overstate the importance of the organization’s work. Shadowserver scans more than 4 billion IP addresses—almost the entire public internet—every day and puts together activity reports based on the findings for more than 4,600 network operators, as well as the national computer security incident response teams of 107 countries. Shadowserver also hosts a repository of 1.2 billion malware samples, similar to Google’s VirusTotal, that’s freely accessible. In all, the organization hosts more than 11.6 petabytes of threat intelligence and malware-related data. But all of that is just for starters.
The real ghost-escape potential comes from the fact that Shadowserver doesn’t just monitor incidents, it also actively works to contain them. The organization has a vast “honeypot” and “sinkholing” infrastructure. The former lures attackers and records details about them, while the latter diverts malicious traffic into a sort of digital black hole and away from its intended target.
Shadowserver says it sinkholes up to 5 million IP addresses per day, neutralizing malicious firehoses of data that would otherwise spew from botnets and disruptive malware. More than four years after researchers exposed the iOS and macOS malware known as XcodeGhost, for example, Shadowserver still has more than half a million devices connecting to its sinkhole in an attempt to talk to the malware’s command and control infrastructure. The organization also runs what it calls a “registrar of last resort,” which takes control of malicious domain names to disrupt criminal infrastructure, so malware can’t phone home to follow a hacker’s commands.
On top of all of this, Shadowserver collaborates very actively with law enforcement groups all over the world to use its own infrastructure and expertise in massive coordinated operations. In recent years, for example, Shadowserver participated in 2016’s Avalanche takedown and 2019’s Goznym takedown. The organization says its goal is always to help law enforcement make arrests and remediate damage to victims.