To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
J. Oquendo wrote: > > ------------------------------------------------------------------------ > > http://www.infiltrated.net/?p=29 > > Biased... In all honesty I don't believe so > OK. It didn't take long to realize that the author really doesn't have much of a grasp on the transit provider business model works. They start out trying to impress us with the following experience: "I’d like to say I’ve been around the block for a couple of years now. Having worked at an ISP, MSP, NSP and now V(oIP)SP..." Wow. Can I join in? I founded and worked at the same NSP for 10 years prior to accepting my current position as the senior engineer at another large NSP. I am the author of the Multi-Router Looking Glass (MRLG) code used by 1000's of providers, not to mention many RIRs. I designed the layer-2 protocol, the routing architecture, the encryption scheme and the compression algorithms used in the space communications platform deployed by DHS. Next, we get the feeling that someone needs to start swinging the clue-bat at the author if based only on their lack of understanding of how REAL bandwidth is bought and sold with the following: "Let’s have a look at a NSP. They make their money off of ISP’s who in turn make money off of you. With this brief explanation its obvious NSP’s make money off of traffic with most NSP’s charging the their customers (ISP’s or other providers, hosting, etc.) more money when they go over their quotas. So ask yourself, let’s say AcmeNSP (hopefully there isn’t a NSP called ACME since in this instance - I just spit out a name), if AcmeNSP is leasing to FoobarISP and is guaranteeing them say 100 gigs of traffic per month with say $0.60 per meg over quota..." OK. If a service provider (ISP/MSP/*SP) is buying bandwidth based on data transferred vs raw line rate of the transport medium, there are two words to describe that provider: "Mom & Pop". It is just that simple. Virtual hosting is sold by many providers based on the amount of data transferred. Transit bandwidth on the other hand is bought and sold based on Mb/s or more commonly Gb/s now. The fact that the author thinks otherwise suggests to me that even if they have been "around the block a couple of years", they still have their training wheels on. The author goes on to demonstrate their lack of grasp with the following: "How difficult would it be for AcmeNSP to instead create and send a letter to all their clients: “We’ve recently noticed spikes in malicious traffic and in an effort to mitigate this, we’re asking that our customers implement the following fixes on their networks to avoid surplus charges” with an instruction on say RFC1918 filtering or maybe even some quick Cisco ip audit, ip cef, access-list oneliners to stop malicious traffic from ever reaching the Internet. Its not and would never be in a NSP’s best interest to do so. Why should AcmeNSP clean off their network when they’re making money off of the excess bandwidth." The overwhelming majority of malware we're seeing is not sourcing from RFC1918 space and much of it is intelligent enough not to scan into RFC1918 space and while I agree that RFC1918 should not ever make it past the CPE, let alone the customer aggregation router, access-lists are not where it's at. The use of uRPF in strict mode on customer facing interfaces would be a nice start though. Strange that the author has so much supposed experience but they leave the most easily implemented filtering option out of their critique. As for using ip audit and ip cef, they have their place but, any respectable provider is going to be collecting netflow exports from their routers and doing automated analytics on that flow information using any one of several publicly available netflow collectors - perhaps even augmented by a commercial solution such as the Arbor PeakFlow SP. As for "access-list oneliners", if you want to see a router melt down, go ahead and apply an ACL to block that 2 million packets per second, 2Gb/s DDoS heading towards your customer. Let us know how that works out for ya, OK? This one torques me off: "I have 3 engineers say a CCNP, CCNA and Unix systems administrator". I'm so sorry. The word "engineer" is so overused it boggles the mind. I'm starting to get the picture here: "a DS3 at about $6,000 for the local loop and another $6,000 bandwidth." OK. A DS3? A *single* DS3 at that? So much for multi-homing. So much for bandwidth. And $6000/mo for 45Mb/s of transit not including loop? Someone is getting bent over and not even kissed. Go ahead. Apply all of the ACLs you want you your 7204 with the NPE-100. If you've only got a DS3 on it, it might handle it. Hell, the fact that you've only got a DS3 is shielding you from 99.999% of the attack traffic. A 45Mb/s attack is going to be VERY hard to see in the graphs on my network it's so far down in the noise. It's getting better: "How about this, its 3:00am and your business is getting hammered, you now have to wake up your engineers and address this issue, they’ll likely make overtime, complain their equipment is not equipped to handle it, etc.." What? No 24x7 *manned* NOC? Oh... That's right. He's only got three "in-jun-ears"... Overtime? You mean they're not salary exempt employees? And it still gets better: "Instead of actually doing something to mitigate against botnets identity thefts, malware, scumware, whateverware you want to call it, providers have the audacity to actually charge you for keeping their own networks clean. What a con. How about me as a provider blocking your network from reaching mine. How about if your clients can’t reach the businesses they’d like to get to because they were banned? Incoming call to customer service. Your Client: “I’m trying to reach SomethingOrOther.com to check on my account but I can’t because they’re saying your network has been blocked” How long do ISP’s and NSP’s think it will be before they find a new provider." 1) If I place the infected customer in a walled garden, they're going to complain that they can't get anywhere. They're going to argue that they're not infected. Perhaps to the point that they leave and find another provider. 2) When I blackhole known rogue hosts (outside of my network), it is inevitable that SOME customer wants to go to another vhost on that same IP address hosted at [insert some hosting provider]. They'll complain that they can get there from other providers and it is my network that has the problem. We're damned if we do and damned if we don't. People bitch and moan about lack of action on the part of providers but whatever you do, don't let your mitigation strategy impact their ability to download pr0n or the latest war3z. He's got a little list of CIDRs that he's blocked from his network. Wow. I'm impressed. All in all, this read like the ramblings of a rank amateur who is playing the "Big Fish, Little Pond" game at some mom & pop VoIP provider. I did more *proactively* before lunch today than the author brags about doing total to "keep his network clean." It's easy to be a little stub ISP or better yet, an end-user and start pointing the finger screaming and yelling about what others have been doing. Come back and talk to me when your smallest network drain is OC48 and you're connecting pops with multiple OC192 links. There is a lot going on in the shadows to combat botnets and other miscreant activities that most folks don't have credentials to know about. ~John -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org iD8DBQFG9A61+16lRpJszIgRAmc9AJ9d8yRFVfCKdz2zwjODp1JfLD7bIACfdLNU sJBXml3O4QNgEAEgzZCq+2c= =Ush0 -----END PGP SIGNATURE----- _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets