To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
Hash: SHA1

PinkFreud wrote:
> On Fri, Sep 21, 2007 at 10:02:32PM +0000, John Fraizer babbled thus:
> *snip*
>>Again, there is no silver bullet.  It is *NOT* the responsibility of the
>>providers to force safe computing down the throat of their customers.
> I disagree with this.  By your reasoning, it's not the responsibility
> of the university I work for to make sure students don't put infected
> machines on the network (we actually take a very proactive approach to
> minimize the number of 'problem' machines we have on the network).

Two points:

1) Protecting your network != forcing safe computing down the throat of
your "customers."

While _you_ can place infected users into a walled garden which will
provide them "motivation" to clean their infected/compromised machine,
you still can not force the user to practice "safe computing."  You can
make the alternative inconvenient for them but, only the user can make
the conscious decision to not do stupid things.

2) UNI Network != Service Provider Network.

As a UNI Network, you have the ability to place users into a walled
garden without fear of the user "voting with their wallet."  IE; The UNI
gets their money even if the student is walled for the entire school
term.  Add the real threat of litigation on the part of "customers" of
actual service providers (ISP/NSP) who sue the provider for interruption
of business, etc and you can see that while you as a UNI Network may
have several Gb/s worth of transit + I2 capacity, a bunch of 15Ks, 12Ks
and 7600s in your network like the rest of the "big boys", the
customer:provider relationship is completely different.

Even when a customer is in violation of an AUP/TOS, it is a difficult
sale to legal to just admin down the customer facing interface or
otherwise send a "shot across the bow" to get the customers attention.

Our customer-facing folks have brought me into calls where the customer
had to call back via their cellphone - they were unable to complete a
VoIP call because their connection was so saturated with outbound DoS
traffic - and the customer was actually arguing that "there was no way
they were compromised because they didn't run Windows."  This same
customer decided to go the executive escalation path where VPs, SVPs and
C*O's are brought into the mix, threatening litigation, blah blah blah.
 I was eventually able to convince the customer that they did in fact
have compromised machines on their network but only after they
physically disconnected the switch uplink to their compromised servers
and their VoIP miraculously started working again.

> To go back to your earlier analogy of a user enticing Joe Botherder,
> you're right - there's little an ISP can do in that case.  But when
> you're talking about machines actively sending out spam/involved in a
> DDoS/etc., then yes, it *is* the ISP's responsibility to do something.
> I'm not saying an ISP should be watching everything that goes on on
> it's network at all times.  However, when an abuse department is
> contacted about a problem machine on the ISP's network, it is most
> definitely the ISP's responsibility to investigate, attempt to contact
> the owner, and as a last resort, pull it off the network. 

Please don't misunderstand.  I am in no way shape or form stating that
it is not the responsibility of a service provider to actively and
aggressively field complaints.  I'll go one step further and say that in
my opinion, service providers should proactively monitor their networks
for anomolous traffic and vigerously investigate anything that causes
bells and whistles to start going off.  That is not the same thing as
forcing safe computing onto your customers however.

If I had my way, no end-users would be logging into a privlidged account
 on *ANY* platform to do non-admin tasks.  There is absolutely no reason
for a user to have Administrator privlidges while surfing the net,
checking email or chatting on their favorite instant messaging client.

Tell me what percentage of end-users create and *USE* a luser account
and *USE* it vs the default, balls-to-the-wall Administrator privlidge
account on their winblows machine if they received notification that it
was the "smart" thing to do or it was "best current practice"?

> If an ISP weren't to take responsibility for the machines, who would?
> The user?  As you pointed out, that's rather unlikely.  :)

The question that has to be asked before ultimate responsibility can be
established is "Whos machine is it?"

If you're MegaCompany, Inc, the machine could be a server on your
corporate network, a desktop machine at a cubicle or even the laptop of
an outside sales rep who is connecting via VPN.

If you're RackSpace, the machine is yours and the customer pays you for
the ability to utilize the machine.

If you're Cox Cable, the machine most likely belongs to Billy-Bob enduser.

If you're Verizon Business, the machine most likely belongs to a
customer of a customer (of a customer of a customer) who may or may not
be Billy-Bob enduser.

As an NSP, do I blackhole the /32 of my customers customer?  They may
not even be using my address space - I may simply be providing transit
services for the prefix in question.

As an ISP, do I blackhole the connectivity of the /32 I've assigned to
MegaCompany, Inc because I'm seeing or receiving complaints of an
outbound DoS from them?  Doing so may be blackholing the public-facing
IP address of 10,000 machines behind a corporate NAT.

As Cox Cable, do I blackhole the /32 of a customer because I'm seeing or
receiving complaints of an outbound DoS from them?  Doing so may very
well cut off their lifeline communications because they may have Vonage
or some other VoIP service as their only phone service.

As an engineer or admin at MegaCompany, Inc, do I blackhole our public
facing webserver because I've received an email from someone claiming it
is "attacking" them?

The "correct" answer is going to be different based on which of the
scenerios we're in, isn't it?

> The real question is - what do we do with ISPs which ignore abuse
> reports, like Turk Telekom, RDSNet, or QualityNet?

Again, it depends on who "we" are.  If you're MegaCompany, Inc, you can
probably blackhole them because your routing policy effects only you.
If you're an ISP/NSP, you may or may not be able to blackhole them
because doing so may cause issues for your customers.

Again, there is no silver bullet - at least not one that fits every gun.

Version: GnuPG v1.4.1 (MingW32)
Comment: Using GnuPG with Thunderbird -

To report a botnet PRIVATELY please email: [EMAIL PROTECTED]
All list and server information are public and available to law enforcement 
upon request.

Reply via email to