To report a botnet PRIVATELY please email: [EMAIL PROTECTED] ---------- Against my better judgement... A few opinions I figured I'd share.
Regarding the cited article and the idea that ISPs charging for Managed Security Service is "ballsy", you should re-read it. All your arguments are about ISPs on the sending end, not the receiving end. Beginning an article such as this by stating you've "been around the block" usually only further calls such a thing into question. If I read your recommendations correctly, ISPs should: - send a letter to customers - ask customers to implement RFC1918 filtering or perform some quick Cisco audit - ip cef - access-list one-liners to stop malicious traffic from ever reaching the Internet - then you posit that it's a top-line revenue impact that keeps providers from doing anything about it, i.e., because of usage-based billing models. So, my thoughts on this initial bit: - a whooping 2 bots with 500k of upstream bandwidth and a proper reflective amplification vector could completely saturate your $12k/mo DS3 - twice! BTW: provisioning 20k customers behind a single DS3 is quite an oversubscription model, even if they're all dial-up customers and you assume a max 30% activity rate - which would be short-sighted, to say the least. You also left typically amortized capex calculations from your business plan, salaried employees don't get overtime, and, well, lots of other costs, to be gratuitous. But let's push forward anyway. - So, this letter to all your clients, all 20k of them, proactively, be sure to factor a minimum of $20k for stamps and envelopes, and some time for someone to put the letter in the envelope and mail it - given your shoe-string budget. - You've got 3 help desk people that are to explain IP CEF to your users? Why, it doesn't run on most of those low-end SOHO systems and adds NOTHING in the way of additional security. And 82% are likely using non-cisco.linksys gear. Your 3 help desk folks are going to work, even at a nominal 5% take rate, an average of 3 customers per day (365/days a year) performing customer network audits? I suspect they're underpaid. What about actual customer problems, who's going to work those? And G&A costs, and all the other things real companies have to deal with? - access-lists, useless in this context. they provide no protection from well over the majority of today's threats. - RFC1918 filters, aren't those access-lists? Ohh, and they don't help either - now, you've invested all this time and you've increased your customers' security posture by what, .001%? Given that most of the compromise today is system level and is even permitted by stateful firewalls and IDS/IPS systems, and even AV, what have you accomplished? - So you're going to work with all these folks to clean their systems, detect zero-day threats, and remove rootkits, etc. in a reactive manner as well? - or just cut them off if they become infected? You can't, you probably understand that, being a VoIP provider and all. Kill their emergency dialing services and what happens? And churn is a major concern, it better be if you only have 20k customers. More of a concern than average revenue per user (arpu) even. - And if you're fortunate to have infrastructure that provides the capability to place them in quarantine you've still got to provide those VoIP services, and allow them to reach AV companies, or access OS patches, and avoid cross-infection and maintain continuity of other services (e.g., data, IPTV, mobile?) or churn will increase, as will help desk calls. - but they don't know how to remove a rootkit, so your help desk folks have to work with them. and even at a low 5% customer compromise (they are victims, mind you) rate, you're 3 help desk folks are double booked. and you're paying them to be both network and host-level experts now (@35k each), good luck with that one. - btw, how many of the broadband providers worldwide bill strictly based on usage - I'd be surprised if more than 10% globally did. So that makes your argument on that front about top-line revenue being the motivator even more far-fetched. - ohh, and how do YOU protect your customers from attacks from the Internet today, out of curiosity? Both single packet and DoS? The business model is VERY different for hybrid networks that are also responsible for end-systems (e.g., edu, enterprise, etc..), versus ISPs that are providing connectivity services, and far more complex than you've outlined. There are a slew of other rebuttals I could offer on your article, but it seems a bit futile given this as a starting point. -danny _______________________________________________ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets