Re: Dutch ISPs to collaborate and take responsibility for botted clients
Gadi Evron wrote: [snip] This will be an interesting phenomenon to watch. If it is successful perhaps it could work here too. Comcast is launching a trial on Thursday of a new automated service that will warn broadband customers of possible virus infections, if the computers are behaving as if they have been compromised by malware. ISPs have a helpful role to play in helping subscribers mitigate these kinds of security threats, she said. The challenge is...when users get these notices, do they understand them? Do they trust that they are real? Do they follow through to the point where they clean up their computers? http://news.cnet.com/8301-27080_3-10370996-245.html
RE: Dutch ISPs to collaborate and take responsibility for botted clients
-Original Message- From: Christopher Morrow [mailto:morrowc.li...@gmail.com] Sent: Sunday, October 04, 2009 4:04 PM To: Peter Beckman Cc: NANOG Subject: Re: Dutch ISPs to collaborate and take responsibility for botted clients On Sun, Oct 4, 2009 at 2:55 PM, Peter Beckman beck...@angryox.com wrote: service being cut off. However it is ignorance and lack of maintenance that makes viruses and botnets so prevelant that it may just be time to bite the bullet and force users to learn how to maintain their machines. because this works so well with: 1) cars 2) home-security 3) personal security wandering around cities/towns I note that I'm not particularly against any of the proposal, just the 'people need a drivers license to get on the interwebz'... it's been tried many times before, always without success. I'm trying to understand your analogy, but it's hidden in the sarcasm. Your assertion is that education (and you've decided to include licensing, for some reason) of drivers and the rest is ineffective? You're not opposed to user education, you just believe it's useless because it will only reduce, not eliminate, badness? Lee
Re: Dutch ISPs to collaborate and take responsibility for botted clients
Gadi Evron wrote: Apparently, marketing departments like the idea of being able to send customers that need to pay them to a walled garden. It also saves on tech support costs. Security being the main winner isn't the main supporter of the idea at some places. I would love to do this both for non-pays and security incidents. I'd like to do something similar to let customers update their provisioning information for static IP changes so cable source verify doesn't freak out. Unfortunately I haven't been able to find any open source tools to do this. I can't even think of commercial ones off the top of my head. It's a relatively simple concept. Some measure of integration into the DHCP provisioning system(s) would be needed to properly route the customer's traffic to the walled garden and only to the walled garden. Once the problem is resolved the walled garden fixes the DHCP so the customer can once again pull a public IP and possibly flushes ARP caches if your access medium makes that a problem to be dealt with. I would think that the walled garden portion could be handled well-enough with Squid and some custom web programming to perform tasks to reverse the provisioning issues. I'm sure people have written internal solutions for SPs before but I haven't found anyone that has made that into an OSS project and put it on the Web. I'd love to make this a project but there is little financial gain to my small SP so if it costs much money it won't get management support. Justin
Re: Dutch ISPs to collaborate and take responsibility for botted clients
Justin Shore wrote: Gadi Evron wrote: Apparently, marketing departments like the idea of being able to send customers that need to pay them to a walled garden. It also saves on tech support costs. Security being the main winner isn't the main supporter of the idea at some places. I would love to do this both for non-pays and security incidents. I'd like to do something similar to let customers update their provisioning information for static IP changes so cable source verify doesn't freak out. Unfortunately I haven't been able to find any open source tools to do this. I can't even think of commercial ones off the top of my head. It's a relatively simple concept. Some measure of integration into the DHCP provisioning system(s) would be needed to properly route the customer's traffic to the walled garden and only to the walled garden. Once the problem is resolved the walled garden fixes the DHCP so the customer can once again pull a public IP and possibly flushes ARP caches if your access medium makes that a problem to be dealt with. I would think that the walled garden portion could be handled well-enough with Squid and some custom web programming to perform tasks to reverse the provisioning issues. I'm sure people have written internal solutions for SPs before but I haven't found anyone that has made that into an OSS project and put it on the Web. I'd love to make this a project but there is little financial gain to my small SP so if it costs much money it won't get management support. Justin There is all sorts of kit that will do this for you, Ellacoya, Redback etc. They all have APIs and all work well. The customer keeps their public IP address, but you can then make it belong to another virtual router instance, or you can apply certain firewall/ACL/policy rules to it. For example, my Ellacoyas will, for a walled customer, deny traffic to anything but the walled garden hosts and will then route any port 80 traffic to my proxy server that re-directs it all to a walled garden web server. Then soon as they hand over their payment details and we take payment, a request is sent to the Ellacoya to remove the restrictions. Lovaly. -- Leigh
Re: Dutch ISPs to collaborate and take responsibility for botted clients
On Oct 3, 2009, at 3:18 PM, Peter Beckman wrote: On Sat, 3 Oct 2009, Gadi Evron wrote: The story is covered by PC mag: Thanks for the article Gadi. Honestly, I wish both my personal ISP and one of my business ISPs would do this. Though I have the technical ability to monitor my outgoing connections for such things, it's not a trivial task and requires resources I've decided not to invest in, namely a Linux PC running as my gateway with yet more software (OS, monitoring tools, etc) I need to secure and keep updated. For me to be thrilled about my ISPs monitoring my connection for bad behavior, the ISP should: * Quickly notify the customer about the problem via email and phone Agreed * Offer the ability to view the evidence of the bad behavior, accessible on the ISP network via the web so it can be viewed whether the connection is active or blocked, to help determine which host(s) is/are responsible Agreed * Clearly classify the type of bad behavior and offer both free and paid alternatives to potentially rectify the problem for those less technically inclined to self-solve the issue Definitely. * Provide a short period of time (3 days) after notification and before disconnect to give an opportunity to fix the issue without service interruption Uh... Here I differ. The rest of the internet should put up with the abuse flowing out of your network for 3 days to avoid disruption to you? Why? Sorry, if you have a customer who is sourcing malicious activity, whether intentional or by accident, I believe the ISP should take whatever action is necessary to stop the outflow of that malicious behavior as quickly as possible while simultaneously making all reasonable effort to contact the customer in question. The ISP should take the minimum action necessary to stop the outflow, so, if the traffic is sourced from a single host, that host could be filtered/blocked. If the traffic can be classified more tightly (i.e. certain ports, etc., then that classification should be used). This minimizes disruption to the customer, but, still preserves the ISPs obligation to the rest of the internet. When you connect to a community resource like the internet, you have an inherent obligation not to source malicious activity. When you provide services to downstream customers, you are not relieved of that responsibility just because you accepted the malicious activity from them rather than originating it yourself. * Offer a simple, automated way to get the connection re-tested and unblocked immediately (within 15 minutes) using a web service accessible even if the connection is blocked Either a web interface or even a telephonic process. It doesn't necessarily need to be automated, but, it shouldn't be a 3 day wait for a technician to get back to you. It should definitely be a pretty rapid process once the abuse is resolved. This would make me happy. What would make me angry is if they: * Simply turn the connection off with little or no notice They should not turn the connection off unless it is absolutely necessary. See above. * Provide no notification of what happened or why Absolutely agree here. * Offer no evidence of why they turned the connection off to help debug Yep. * Force the customer to call customer service to ask for a retest or reconnect I don't really see a problem with this, so long as customer service is responsive to such a call. * Have the reconnect take multiple hours/days once approved Agreed: the reconnect process should be very quick once the abuse is resolved. Owen smime.p7s Description: S/MIME cryptographic signature
Re: Dutch ISPs to collaborate and take responsibility for botted clients
On Sun, 4 Oct 2009, Owen DeLong wrote: * Provide a short period of time (3 days) after notification and before disconnect to give an opportunity to fix the issue without service interruption Uh... Here I differ. The rest of the internet should put up with the abuse flowing out of your network for 3 days to avoid disruption to you? Why? Sorry, if you have a customer who is sourcing malicious activity, whether intentional or by accident, I believe the ISP should take whatever action is necessary to stop the outflow of that malicious behavior as quickly as possible while simultaneously making all reasonable effort to contact the customer in question. Yeah, after a few people privately emailed me regarding the same, the short period of time should be thrown out, for the good of the rest of the 'net. The short period was initially intended for infections that were not active or immediately impacting, but were detected to be infected none-the-less. Assuming active bad behavior immediate disconnect is prudent and wise. As our ability to remotely detect virus and trojans improves, I suspect such an ISP-provided service would as well. * Offer a simple, automated way to get the connection re-tested and unblocked immediately (within 15 minutes) using a web service accessible even if the connection is blocked Either a web interface or even a telephonic process. It doesn't necessarily need to be automated, but, it shouldn't be a 3 day wait for a technician to get back to you. It should definitely be a pretty rapid process once the abuse is resolved. Agreed. Another emailer mentioned that it's not always simple to determine if the abuse is resolved or not, nor is it easy to explain this to a non-technical customer in a way that makes them happy with their service being cut off. However it is ignorance and lack of maintenance that makes viruses and botnets so prevelant that it may just be time to bite the bullet and force users to learn how to maintain their machines. * Force the customer to call customer service to ask for a retest or reconnect I don't really see a problem with this, so long as customer service is responsive to such a call. I like self-service. If it is 3am and staff is not available, making the process automated would be ideal. If the staff is 24/7, agreed. Beckman --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
Re: Dutch ISPs to collaborate and take responsibility for botted clients
On Sun, Oct 4, 2009 at 2:55 PM, Peter Beckman beck...@angryox.com wrote: service being cut off. However it is ignorance and lack of maintenance that makes viruses and botnets so prevelant that it may just be time to bite the bullet and force users to learn how to maintain their machines. because this works so well with: 1) cars 2) home-security 3) personal security wandering around cities/towns I note that I'm not particularly against any of the proposal, just the 'people need a drivers license to get on the interwebz'... it's been tried many times before, always without success. I would also point out that Qwest does this walled-garden approach for their customers (have been for at least 5 years now? d...@qwest could clarify) and they've seen success with it. Aliant in .ca also has some fairly aggressive anti-malware works installed. There are places where this sort of thing works well, planned and engineered properly. I think Qwest, at least, made some of their reasoning and design/goals publicly available for a time as well. -Chris
Re: Dutch ISPs to collaborate and take responsibility for botted clients
Christopher Morrow wrote: I would also point out that Qwest does this walled-garden approach for their customers (have been for at least 5 years now? d...@qwest could clarify) and they've seen success with it. Aliant in .ca also has some fairly aggressive anti-malware works installed. There are places where this sort of thing works well, planned and engineered properly. I think Qwest, at least, made some of their reasoning and design/goals publicly available for a time as well. I think Jonathan Curtis did something similar at Bell, but I only spoke with him about it for a couple of second two years ago, as Rio was rather distracting. So am unsure. Apparently, marketing departments like the idea of being able to send customers that need to pay them to a walled garden. It also saves on tech support costs. Security being the main winner isn't the main supporter of the idea at some places. Gadi.