To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
Hash: SHA1

J. Oquendo wrote:

> ------------------------------------------------------------------------
> Biased... In all honesty I don't believe so

OK.  It didn't take long to realize that the author really doesn't have
much of a grasp on the transit provider business model works.

They start out trying to impress us with the following experience:

"I’d like to say I’ve been around the block for a couple of years now.
Having worked at an ISP, MSP, NSP and now V(oIP)SP..."

Wow.  Can I join in?  I founded and worked at the same NSP for 10 years
prior to accepting my current position as the senior engineer at another
large NSP.  I am the author of the Multi-Router Looking Glass (MRLG)
code used by 1000's of providers, not to mention many RIRs. I designed
the layer-2 protocol, the routing architecture, the encryption scheme
and the compression algorithms used in the space communications platform
deployed by DHS.

Next, we get the feeling that someone needs to start swinging the
clue-bat at the author if based only on their lack of understanding of
how REAL bandwidth is bought and sold with the following:

"Let’s have a look at a NSP. They make their money off of ISP’s who in
turn make money off of you. With this brief explanation its obvious
NSP’s make money off of traffic with most NSP’s charging the their
customers (ISP’s or other providers, hosting, etc.) more money when they
go over their quotas. So ask yourself, let’s say AcmeNSP (hopefully
there isn’t a NSP called ACME since in this instance - I just spit out a
name), if AcmeNSP is leasing to FoobarISP and is guaranteeing them say
100 gigs of traffic per month with say $0.60 per meg over quota..."

OK. If a service provider (ISP/MSP/*SP) is buying bandwidth based on
data transferred vs raw line rate of the transport medium, there are two
words to describe that provider: "Mom & Pop".  It is just that simple.
Virtual hosting is sold by many providers based on the amount of data
transferred.  Transit bandwidth on the other hand is bought and sold
based on Mb/s or more commonly Gb/s now.  The fact that the author
thinks otherwise suggests to me that even if they have been "around the
block a couple of years", they still have their training wheels on.

The author goes on to demonstrate their lack of grasp with the following:

"How difficult would it be for AcmeNSP to instead create and send a
letter to all their clients: “We’ve recently noticed spikes in malicious
traffic and in an effort to mitigate this, we’re asking that our
customers implement the following fixes on their networks to avoid
surplus charges” with an instruction on say RFC1918 filtering or maybe
even some quick Cisco ip audit, ip cef, access-list oneliners to stop
malicious traffic from ever reaching the Internet. Its not and would
never be in a NSP’s best interest to do so. Why should AcmeNSP clean off
their network when they’re making money off of the excess bandwidth."

The overwhelming majority of malware we're seeing is not sourcing from
RFC1918 space and much of it is intelligent enough not to scan into
RFC1918 space and while I agree that RFC1918 should not ever make it
past the CPE, let alone the customer aggregation router, access-lists
are not where it's at.  The use of uRPF in strict mode on customer
facing interfaces would be a nice start though.  Strange that the author
has so much supposed experience but they leave the most easily
implemented filtering option out of their critique.

As for using ip audit and ip cef, they have their place but, any
respectable provider is going to be collecting netflow exports from
their routers and doing automated analytics on that flow information
using any one of several publicly available netflow collectors - perhaps
even augmented by a commercial solution such as the Arbor PeakFlow SP.

As for "access-list oneliners", if you want to see a router melt down,
go ahead and apply an ACL to block that 2 million packets per second,
2Gb/s DDoS heading towards your customer.  Let us know how that works
out for ya, OK?

This one torques me off: "I have 3 engineers say a CCNP, CCNA and Unix
systems administrator".  I'm so sorry.  The word "engineer" is so
overused it boggles the mind.

I'm starting to get the picture here: "a DS3 at about $6,000 for the
local loop and another $6,000 bandwidth."  OK.  A DS3? A *single* DS3 at
that?  So much for multi-homing.  So much for bandwidth.  And $6000/mo
for 45Mb/s of transit not including loop?  Someone is getting bent over
and not even kissed.  Go ahead.  Apply all of the ACLs you want you your
7204 with the NPE-100.  If you've only got a DS3 on it, it might handle
it.  Hell, the fact that you've only got a DS3 is shielding you from
99.999% of the attack traffic.  A 45Mb/s attack is going to be VERY hard
to see in the graphs on my network it's so far down in the noise.

It's getting better:

"How about this, its 3:00am and your business is getting hammered, you
now have to wake up your engineers and address this issue, they’ll
likely make overtime, complain their equipment is not equipped to handle
it, etc.."

What?  No 24x7 *manned* NOC?  Oh... That's right.  He's only got three
"in-jun-ears"...  Overtime?  You mean they're not salary exempt employees?

And it still gets better:

"Instead of actually doing something to mitigate against botnets
identity thefts, malware, scumware, whateverware you want to call it,
providers have the audacity to actually charge you for keeping their own
networks clean. What a con. How about me as a provider blocking your
network from reaching mine. How about if your clients can’t reach the
businesses they’d like to get to because they were banned? Incoming call
to customer service. Your Client: “I’m trying to reach to check on my account but I can’t because they’re
saying your network has been blocked” How long do ISP’s and NSP’s think
it will be before they find a new provider."

1) If I place the infected customer in a walled garden, they're going to
complain that they can't get anywhere.  They're going to argue that
they're not infected.  Perhaps to the point that they leave and find
another provider.

2) When I blackhole known rogue hosts (outside of my network), it is
inevitable that SOME customer wants to go to another vhost on that same
IP address hosted at [insert some hosting provider].  They'll complain
that they can get there from other providers and it is my network that
has the problem.

We're damned if we do and damned if we don't.  People bitch and moan
about lack of action on the part of providers but whatever you do, don't
let your mitigation strategy impact their ability to download pr0n or
the latest war3z.

He's got a little list of CIDRs that he's blocked from his network.
Wow.  I'm impressed.  All in all, this read like the ramblings of a rank
amateur who is playing the "Big Fish, Little Pond" game at some mom &
pop VoIP provider.

I did more *proactively* before lunch today than the author brags about
doing total to "keep his network clean."

It's easy to be a little stub ISP or better yet, an end-user and start
pointing the finger screaming and yelling about what others have been
doing.  Come back and talk to me when your smallest network drain is
OC48 and you're connecting pops with multiple OC192 links.

There is a lot going on in the shadows to combat botnets and other
miscreant activities that most folks don't have credentials to know about.

Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mandriva -

To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement 
upon request.

Reply via email to