To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
PinkFreud wrote: > On Fri, Sep 21, 2007 at 10:02:32PM +0000, John Fraizer babbled thus: > > *snip* > > >>Again, there is no silver bullet. It is *NOT* the responsibility of the >>providers to force safe computing down the throat of their customers. > > > I disagree with this. By your reasoning, it's not the responsibility > of the university I work for to make sure students don't put infected > machines on the network (we actually take a very proactive approach to > minimize the number of 'problem' machines we have on the network). Two points: 1) Protecting your network != forcing safe computing down the throat of your "customers." While _you_ can place infected users into a walled garden which will provide them "motivation" to clean their infected/compromised machine, you still can not force the user to practice "safe computing." You can make the alternative inconvenient for them but, only the user can make the conscious decision to not do stupid things. 2) UNI Network != Service Provider Network. As a UNI Network, you have the ability to place users into a walled garden without fear of the user "voting with their wallet." IE; The UNI gets their money even if the student is walled for the entire school term. Add the real threat of litigation on the part of "customers" of actual service providers (ISP/NSP) who sue the provider for interruption of business, etc and you can see that while you as a UNI Network may have several Gb/s worth of transit + I2 capacity, a bunch of 15Ks, 12Ks and 7600s in your network like the rest of the "big boys", the customer:provider relationship is completely different. Even when a customer is in violation of an AUP/TOS, it is a difficult sale to legal to just admin down the customer facing interface or otherwise send a "shot across the bow" to get the customers attention. Our customer-facing folks have brought me into calls where the customer had to call back via their cellphone - they were unable to complete a VoIP call because their connection was so saturated with outbound DoS traffic - and the customer was actually arguing that "there was no way they were compromised because they didn't run Windows." This same customer decided to go the executive escalation path where VPs, SVPs and C*O's are brought into the mix, threatening litigation, blah blah blah. I was eventually able to convince the customer that they did in fact have compromised machines on their network but only after they physically disconnected the switch uplink to their compromised servers and their VoIP miraculously started working again. > > To go back to your earlier analogy of a user enticing Joe Botherder, > you're right - there's little an ISP can do in that case. But when > you're talking about machines actively sending out spam/involved in a > DDoS/etc., then yes, it *is* the ISP's responsibility to do something. > > I'm not saying an ISP should be watching everything that goes on on > it's network at all times. However, when an abuse department is > contacted about a problem machine on the ISP's network, it is most > definitely the ISP's responsibility to investigate, attempt to contact > the owner, and as a last resort, pull it off the network. Please don't misunderstand. I am in no way shape or form stating that it is not the responsibility of a service provider to actively and aggressively field complaints. I'll go one step further and say that in my opinion, service providers should proactively monitor their networks for anomolous traffic and vigerously investigate anything that causes bells and whistles to start going off. That is not the same thing as forcing safe computing onto your customers however. If I had my way, no end-users would be logging into a privlidged account on *ANY* platform to do non-admin tasks. There is absolutely no reason for a user to have Administrator privlidges while surfing the net, checking email or chatting on their favorite instant messaging client. Tell me what percentage of end-users create and *USE* a luser account and *USE* it vs the default, balls-to-the-wall Administrator privlidge account on their winblows machine if they received notification that it was the "smart" thing to do or it was "best current practice"? > > If an ISP weren't to take responsibility for the machines, who would? > The user? As you pointed out, that's rather unlikely. :) > The question that has to be asked before ultimate responsibility can be established is "Whos machine is it?" If you're MegaCompany, Inc, the machine could be a server on your corporate network, a desktop machine at a cubicle or even the laptop of an outside sales rep who is connecting via VPN. If you're RackSpace, the machine is yours and the customer pays you for the ability to utilize the machine. If you're Cox Cable, the machine most likely belongs to Billy-Bob enduser. If you're Verizon Business, the machine most likely belongs to a customer of a customer (of a customer of a customer) who may or may not be Billy-Bob enduser. As an NSP, do I blackhole the /32 of my customers customer? They may not even be using my address space - I may simply be providing transit services for the prefix in question. As an ISP, do I blackhole the connectivity of the /32 I've assigned to MegaCompany, Inc because I'm seeing or receiving complaints of an outbound DoS from them? Doing so may be blackholing the public-facing IP address of 10,000 machines behind a corporate NAT. As Cox Cable, do I blackhole the /32 of a customer because I'm seeing or receiving complaints of an outbound DoS from them? Doing so may very well cut off their lifeline communications because they may have Vonage or some other VoIP service as their only phone service. As an engineer or admin at MegaCompany, Inc, do I blackhole our public facing webserver because I've received an email from someone claiming it is "attacking" them? The "correct" answer is going to be different based on which of the scenerios we're in, isn't it? > The real question is - what do we do with ISPs which ignore abuse > reports, like Turk Telekom, RDSNet, or QualityNet? > Again, it depends on who "we" are. If you're MegaCompany, Inc, you can probably blackhole them because your routing policy effects only you. If you're an ISP/NSP, you may or may not be able to blackhole them because doing so may cause issues for your customers. Again, there is no silver bullet - at least not one that fits every gun. ~john -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFG9JUz+16lRpJszIgRApTXAJ4vVs77QGqwFS+LWviERyEtgM+YcwCghDfS ii7QwRUQotRl0ExIuzJ+FnA= =uqdt -----END PGP SIGNATURE----- _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
