FYI, One of the major reasons ISPS don't just do this is that
identifying things like botnet traffic isn't always easy to do without
spending a lot of computing cycles. Spending those cycles at the very
least results in increased latency. I know of several companies who are
building next gen routers which will have low latency in line virus
scanning and IDS/IP features. I have to belivee that at least some of
these systems can be taught to recognize and filter "bad traffic". The
problem is "What is bad traffic?"
Another tactic is to push the brains out to the edge. If the PC/User
can't prevent infection, the ISP can hope to limit the spread. Things
like tight firewalls on the Cable Modem or DSL routers that block
outgoing ports unless configured differently make a big difference here.
With some of the newer boxes it is "safer" for an ISP to start with a
"block everything except webpages" approach because the control panels
don't require the user to understand ports. They just have to check
boxes for what traffic they want to allow through from alist containing
things like the names of games and applications. The firewall then
allows these outbound and can even specify what times of day the traffic
should be allowed through. for example you could block all gaming
related traffic except on weekday evening between 4:00PM and 10:00 PM
and weekends between 10:00AM and 10:00PM.
-Mike
"Software Engineering is that part of Computer Science which is too
difficult for the Computer Scientist." --— F. L. Bauer.
On Tue, 2007-02-13 at 14:11 -0800, Ben Barrett wrote:
> Well stated situation, Bob. However, I was trying to propose
> something
> more akin to a backbone policing endeavor, which would ideally keep
> any
> major botnet infections from taking hold -- there will always be
> zero-day
> issues, of course, but by the time 10K machines are infected, it
> should
> be easy enough to identify their traffic and simply eliminate it.
>
> So the scenario I envision would be one where the customer only has
> an issue b/c their computer is running so slow (any successful
> small-time
> or failing big-time infections have similar effects as they do today),
> at
> which point the user does whatever they wish, call RentANerd, etc.
>
> My idea (well not MINE) is to simply squelch the channels by which the
> botnets are attempting to do their own useful work, and also the
> channels
> by which the update themselves and spread. Again, this would only
> affect
> major & known botnets/malware, but ... imagine for instance if our
> networks
> only had to support 1/10 or 1/1000 the amount of spam! We'd all be
> jumping
> for joy, and shouting, "It works! It works!" :)
>
> So yeah, I don't expect any small-beans ISP's to deal with it, I
> expect some
> sort of global or nation policing effort, ON the backbone, so to
> speak...
> of course, the implementation could go horribly wrong, and the system
> itself could be compromised... but getting it wrong is how we best
> learn
> to get it right, correct? Pie in the sky, at present, as far as I
> know, since
> I haven't been participating in the Portland Infraguard group for a
> few years,
> but I expect that these things are in fact discussed by those with
> both the
> might and the right to get're done.
>
> cheers,
>
> ben
>
>
> PS - To summarize, it'd have to be "good for business". Reducing
> traffics jams
> and increasing accident-recovery times are crucial for the shipping
> industries
> who rely on the public roadways, isn't this about the same as the
> internet?
> (No, we wouldn't have state troopers rebuilding your carburetor when
> you're
> pulled over...)
>
>
> On 2/13/07, Bob Miller <[EMAIL PROTECTED]> wrote:
> Ben Barrett wrote:
>
> > And why aren't google, microsoft, and major ISP's really
> cracking down
> > on the botnet infrastructure?? They have all the tools and
> the power....
>
> Let's see what happens. $ISP puts in place a system to
> identify
> pwnzored boxes. The first day, they identify 250,000 of
> them. So
> they select a random 10,000 and shut off their internet
> access.
>
> "Customer Support, may I help you?"
> "The Internet is broken."
> "Let me check... Oh, your computer is part of a
> 'botnet. We shut
> it off for your protection."
> "What do you mean I bought part of .NET?"
> "Your computer is infected with malware and is ruining
> the
> internet for everyone else. We shut off your
> connection."
> "Well how do I get it turned on again?"
> "[hold hand for five hours while reinstalling
> Windows+patches+antivirus yada yada]"
> "Thanks!" <click>
>
> 2 days later:
>
> "Customer Support, may I help you?"
> "The Internet is broken again!"
> "Let me check... Your compuer is infected again."
> "This sucks. My brother uses AOL and he never has these
> problems.
> I'm switching to AOL. Cancel my account. You suck. I'm
> telling
> all my friends you suck." <click>
>
> Net result for $ISP: huge customer service costs, many lost or
> PO'd
> customers. So $ISP certainly isn't going to take the
> initiative. You
> can write your own dialogue about what would happen if Google
> tried
> it. Microsoft, to its credit, did clean up XP a lot in
> Service Pack
> 2, and suffered from a delayed and feature-free Vista, costing
> shareholders billions.
>
> --
> Bob Miller K<bob>
> [EMAIL PROTECTED]
> _______________________________________________
> EUGLUG mailing list
> [email protected]
> http://www.euglug.org/mailman/listinfo/euglug
>
> _______________________________________________
> EUGLUG mailing list
> [email protected]
> http://www.euglug.org/mailman/listinfo/euglug
_______________________________________________
EUGLUG mailing list
[email protected]
http://www.euglug.org/mailman/listinfo/euglug