Re: [botnets] Why ISP's and NSP's Love Botnets
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Against my better judgement... A few opinions I figured I'd share. Regarding the cited article and the idea that ISPs charging for Managed Security Service is ballsy, you should re-read it. All your arguments are about ISPs on the sending end, not the receiving end. Beginning an article such as this by stating you've been around the block usually only further calls such a thing into question. If I read your recommendations correctly, ISPs should: - send a letter to customers - ask customers to implement RFC1918 filtering or perform some quick Cisco audit - ip cef - access-list one-liners to stop malicious traffic from ever reaching the Internet - then you posit that it's a top-line revenue impact that keeps providers from doing anything about it, i.e., because of usage-based billing models. So, my thoughts on this initial bit: - a whooping 2 bots with 500k of upstream bandwidth and a proper reflective amplification vector could completely saturate your $12k/mo DS3 - twice! BTW: provisioning 20k customers behind a single DS3 is quite an oversubscription model, even if they're all dial-up customers and you assume a max 30% activity rate - which would be short-sighted, to say the least. You also left typically amortized capex calculations from your business plan, salaried employees don't get overtime, and, well, lots of other costs, to be gratuitous. But let's push forward anyway. - So, this letter to all your clients, all 20k of them, proactively, be sure to factor a minimum of $20k for stamps and envelopes, and some time for someone to put the letter in the envelope and mail it - given your shoe-string budget. - You've got 3 help desk people that are to explain IP CEF to your users? Why, it doesn't run on most of those low-end SOHO systems and adds NOTHING in the way of additional security. And 82% are likely using non-cisco.linksys gear. Your 3 help desk folks are going to work, even at a nominal 5% take rate, an average of 3 customers per day (365/days a year) performing customer network audits? I suspect they're underpaid. What about actual customer problems, who's going to work those? And GA costs, and all the other things real companies have to deal with? - access-lists, useless in this context. they provide no protection from well over the majority of today's threats. - RFC1918 filters, aren't those access-lists? Ohh, and they don't help either - now, you've invested all this time and you've increased your customers' security posture by what, .001%? Given that most of the compromise today is system level and is even permitted by stateful firewalls and IDS/IPS systems, and even AV, what have you accomplished? - So you're going to work with all these folks to clean their systems, detect zero-day threats, and remove rootkits, etc. in a reactive manner as well? - or just cut them off if they become infected? You can't, you probably understand that, being a VoIP provider and all. Kill their emergency dialing services and what happens? And churn is a major concern, it better be if you only have 20k customers. More of a concern than average revenue per user (arpu) even. - And if you're fortunate to have infrastructure that provides the capability to place them in quarantine you've still got to provide those VoIP services, and allow them to reach AV companies, or access OS patches, and avoid cross-infection and maintain continuity of other services (e.g., data, IPTV, mobile?) or churn will increase, as will help desk calls. - but they don't know how to remove a rootkit, so your help desk folks have to work with them. and even at a low 5% customer compromise (they are victims, mind you) rate, you're 3 help desk folks are double booked. and you're paying them to be both network and host-level experts now (@35k each), good luck with that one. - btw, how many of the broadband providers worldwide bill strictly based on usage - I'd be surprised if more than 10% globally did. So that makes your argument on that front about top-line revenue being the motivator even more far-fetched. - ohh, and how do YOU protect your customers from attacks from the Internet today, out of curiosity? Both single packet and DoS? The business model is VERY different for hybrid networks that are also responsible for end-systems (e.g., edu, enterprise, etc..), versus ISPs that are providing connectivity services, and far more complex than you've outlined. There are a slew of other rebuttals I could offer on your article, but it seems a bit futile given this as a starting point. -danny ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] Why ISP's and NSP's Love Botnets
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- Richard Cox wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- On 24/09/2007 17:24:47, Peter Blair [EMAIL PROTECTED] wrote: Off hand, does anyone maintain a list of vendors/network-devices that support anything similar to the drop-project? (Other than what is listed on the site to fudge cisco into using it) We have very firm plans to provide this service as a BGP feed, but are currently stalled just because of the lack of an additional ASN. RIPE have not been particularly helpful on this. I didn't know about such list - we're providing free peering (using private AS number - 64999) and injecting unused prefixes (which Cymru is already doing) but we're giving our peer partners also opportunity to inject their own prefixes (for self defence). The site of the project is here (unfortunately, still only in Polish): http://networkers.pl/bgp-blackholing/ I'd be happy to import on (for example daily basis) list of DROP prefixes and advertise them as another community (we're already use a number of communities to enable selective filtering). If anyone is interested, please contact me unicast. -- Confidence is what you have before you|Łukasz Bromirski understand the problem. -- Woody Allen |lukasz:bromirski,net ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] Why ISP's and NSP's Love Botnets
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- On 24/09/2007 17:24:47, Peter Blair [EMAIL PROTECTED] wrote: Off hand, does anyone maintain a list of vendors/network-devices that support anything similar to the drop-project? (Other than what is listed on the site to fudge cisco into using it) We have very firm plans to provide this service as a BGP feed, but are currently stalled just because of the lack of an additional ASN. RIPE have not been particularly helpful on this. The DROP list is now an added feature built into the Prefix Sanity Checker which is provided by Packet Clearing House at their site: https://prefix.pch.net/applications/login/index.php -- Richard D G Cox [EMAIL PROTECTED] CIO, The Spamhaus Project http://www.spamhaus.org ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] Why ISP's and NSP's Love Botnets
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- John Fraizer [EMAIL PROTECTED] wrote: There is a lot going on in the shadows to combat botnets and other miscreant activities that most folks don't have credentials to know about. Go get 'em, John. :-) - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFG9BQmq1pz9mNUZTMRArRnAKC/MH4lYyqcXFRaUDRl181VTySt5ACfTFx2 wNF9aiNQDql1olvtjgU8yXE= =Yoks -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/ ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] Why ISP's and NSP's Love Botnets
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] --John Fraizer wrote: OK. If a service provider (ISP/MSP/*SP) is buying bandwidth based on data transferred vs raw line rate of the transport medium, there are two words to describe that provider: Mom Pop. It is just that simple. Regardless of mom and pop how about calling them a customer regardless if they're paying you 1,000.00 or 1,000,000.00 The overwhelming majority of malware we're seeing is not sourcing from RFC1918 space and much of it is intelligent enough not to scan into RFC1918 space and while I agree that RFC1918 should not ever make it past the CPE, let alone the customer aggregation router, access-lists are not where it's at. Filtering was used as an example and I didn't want to add bogon's because of the arguments behind them. I could have added RBL's SORBS, etc., and filtering and acronyms until my face turned blue. It was posted as a briefer... There is something that can be done. The use of uRPF in strict mode on customer facing interfaces would be a nice start though. Strange that the author has so much supposed experience but they leave the most easily implemented filtering option out of their critique. See above As for using ip audit and ip cef, they have their place but, any respectable provider is going to be collecting netflow exports from their routers and doing automated analytics on that flow information using any one of several publicly available netflow collectors - perhaps even augmented by a commercial solution such as the Arbor PeakFlow SP. You're right I should have posted about Peakflow, I've spoken I've dealt with Sunil James in hopes I could create an open source protection script based off of Arbor's data for the sake of (drum roll...) protecting networks that might not be able to afford Peakflow... Guess what... We're sorry...: So instead of just talking crap I took the time to do what I thought was productive... The ATLAS Initiative wrote: Jesus, Are you looking to do this for your own managed devices, or for devices you manage for customers? Sunil Sunil James | [EMAIL PROTECTED] Product Manager Arbor Networks Inc. | http://www.arbor.net 734.821.1460 work | 734.327.9048 fax PGP KeyID: 0xA18E302F On Jun 8, 2007, at 1:27 PM, J. Oquendo wrote: The ATLAS Initiative wrote: Dear Jesus, Thank you for expressing interest in ATLAS. Today, only select ATLAS partners and customers can access the private portal. Tomorrow, however, Arbor will be making available a web services-based ATLAS subscription service that can be pulled directly into pre-existing security offerings. If you'd like to be kept apprised of this future Arbor product offering, or If your interest is of another nature, please reply with a brief description of what you're looking to accomplish, and a good time next week when we can chat further. Best regards, Sunil James Product Manager The ATLAS Initiative | [EMAIL PROTECTED] Arbor Networks Inc. | http://www.arbor.net 734.327. work | 734.327.9048 fax PGP KeyID: 0x99A512EB I was looking to utilize some of the host based information Atlas gathers in order to automatically block these hosts via firewalls and IDS/IPS equipment. -- J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 echo infiltrated.net|sed 's/^/sil@/g' Wise men talk because they have something to say; fools, because they have to say something. -- Plato I'm looking to do this so I can return an open source tool for anyone looking for something similar. // End snip As for access-list oneliners, if you want to see a router melt down, go ahead and apply an ACL to block that 2 million packets per second, 2Gb/s DDoS heading towards your customer. Let us know how that works out for ya, OK? You missed the point where I rambled on about having NSP's contact their downstreams and work with them to mitigate things to a point so where it never gets there. If all the big players did that, ATT, Verizon, BT, etc., do you think there would be a such thing as a botnet. As for the rest of your counterpoints, well taken however I go back to mine: It's easy to be a little stub ISP or better yet, an end-user and start pointing the finger screaming and yelling about what others have been doing. Come back and talk to me when your smallest network drain is OC48 and you're connecting pops with multiple OC192 links. There is a lot going on in the shadows to combat botnets and other miscreant activities that most folks don't have credentials to know about. ~John engineers will get their acts together as opposed to spending the time “engineering” an email to a mailing list to dispel what’s posted here. sil /
Re: [botnets] Why ISP's and NSP's Love Botnets
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 J. Oquendo wrote: You're right I should have posted about Peakflow, I've spoken I've dealt with Sunil James in hopes I could create an open source protection script based off of Arbor's data for the sake of (drum roll...) protecting networks that might not be able to afford Peakflow... Guess what... We're sorry...: So instead of just talking crap I took the time to do what I thought was productive... And I don't blame them at all. What part of Arbor Networks, *INC* (emphasis on the INC part) is hard to understand? They are a commercial entity. That have spent tons and tons of money developing and deploying their architecture. What kind of return on investment are they going to see if they give away they keys to the kingdom? Access to ATLAS data is limited to ATLAS partners for multiple reasons, not the least of which being preventing the miscreants from knowing precisely how it is gathered, vetted and redistributed. In the intelligence business, there is this nifty little thing called open source intelligence. The concept is pretty simple. Most non-OPSEC savvy people think for some misguided reason that they can drop little hints while not divulging the whole secret and that it isn't such a big deal. They couldn't be more wrong though. One person dropping hints (purposeful or not) is not always going to drop the same hint. Before long, he has dropped enough individual pieces of the puzzle for the adversary to put them together and find out the big picture. Typically, there is more than one person dropping hints so, the amount of time required to put the puzzle together is reduced for the adversary. The open source comes from the fact that the adversary didn't have to do anything covert to gather the intelligence. It was provided to them one puzzle piece at a time by people who didn't see any harm in letting their guard down just a little bit. Just like a jugsaw puzzle of a boat or airplane though, you don't have to put the whole puzzle together before you know without a doubt what is in the picture. By limiting the scope of participants in the ATLAS project to known, trusted and highly vetted individuals who are themselves highly invested in the success of the project and who can provide large quantities of high confidence intelligence to the ATLAS project itself, Arbor is taking crucial steps towards circumventing open source intelligence gathering against the project itself. As for access-list oneliners, if you want to see a router melt down, go ahead and apply an ACL to block that 2 million packets per second, 2Gb/s DDoS heading towards your customer. Let us know how that works out for ya, OK? You missed the point where I rambled on about having NSP's contact their downstreams and work with them to mitigate things to a point so where it never gets there. If all the big players did that, ATT, Verizon, BT, etc., do you think there would be a such thing as a botnet. I didn't miss anything. I work with all three of the providers you listed above, along with many, many others on a daily basis in *active* mitigation of nefarious activities across the globe. What? I've never seen any publicity about NSPs working together to do this and if it's not in the news and being blogged about, it just isn't happening! You don't get to debrief the SEAL teams, Marine Force Recon, the SAS or the Israeli Commando units either so, I suppose that their clandestine activities aren't happening either, huh? As for the rest of your counterpoints, well taken however I go back to mine: You neglected to make your point so, I'll take this time to make mine again: There is a lot going on in the shadows to combat botnets and other miscreant activities that most folks don't have credentials to know about. ~John -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org iD8DBQFG9B83+16lRpJszIgRAlHBAJ9Jq5oNiuIdMAEDR1hbNeHrh6I/9ACdH8id zP7mKbsTITj7I8Bgm2mC4us= =A9yV -END PGP SIGNATURE- ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] Why ISP's and NSP's Love Botnets
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- http://www.infiltrated.net/?p=29 Although this seems to be yet another conspiracy theorist hard at work, there are some interesting issues raised. Not the least of which is why is it that network equipment manufacturers are still doing static rule-based access control when clearly a distributed approach could be easily done? After all, what is an RBL but a DNS-based distributed access list? Granted, while I don't work for a transit carrier and manage a mere OC-3 worth of data to a few thousand end-users, it would be nice to have an IP-granular kill-switch system that I could use to signal an upstream router to stop sending data from a network or ASN because it's causing me problems. I can do it already at the host level with a system I fudged together, but the data still comes into my network before I can drop it. So IMHO this article relates very little to botnets (other than to assign blame to larger carriers), but it does beg the question of whether an IP-granular, UDP-based record manager would be a suitable building block for a distributed firewall system. The RBL systems are already there. -- Jon Those who make peaceful revolution impossible will make violent revolution inevitable. -- John F. Kennedy ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] Why ISP's and NSP's Love Botnets
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jonathan Yarden wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- http://www.infiltrated.net/?p=29 Although this seems to be yet another conspiracy theorist hard at work, there are some interesting issues raised. Not the least of which is why is it that network equipment manufacturers are still doing static rule-based access control when clearly a distributed approach could be easily done? After all, what is an RBL but a DNS-based distributed access list? Carrier grade routers are designed to route (or switch in the case of MPLS) packets at line-rate. When you start applying ACLs, the performance hit is not trivial - especially when you've got interfaces doing 1-Mpps+ under *normal* load. It is for this reason that most high-tier providers (read: those with clue) typically use divert routing to ship traffic that needs special attention via a dedicated mitigation path where it is dropped or scrubbed. There are products out there that can do wire-speed scrubbing but *THEY ARE NOT ROUTERS* but rather purpose-built devices. The Arbor TMS is one such device. I'm sure that sil is going to pipe up and say, Well, if they can do this, why aren't they doing it and if they are doing it, why are they charging the CUSTOMER to clean up THEIR mess?! Go look and see how much a TMS costs. Now, consider a medium sided provider with a backbone that covers about 25 states. How many TMS devices does that provider need to deploy? How much extra capacity does that provider need to deploy on their network to be able to divert traffic to the closest TMS? Who is it that these devices are being deployed to protect? I'll answer the last question. They're deployed to protect the CUSTOMER. If the customer wants to enjoy the benefits of having their inbound 900Mb/s @ 800Kpps attack mitigated by the provider so the customer can still surf via their fractional DS1, the customer needs to pony up some money because the provider still has to carry that 900Mb/s of traffic to the scrubbing devices. It would be far easier for me to simply null-route the victim (customer) IP address and redistribute that blackhole via an RFC1998 implementation to all of my peers to keep the attack traffic off of my network completely. That takes the customer out though and they don't want that. I wasn't the one who went out and started talking smack on IRC and invited Joe Botherder to take his best shot at me. It was my misguided customer. This notion that it is the responsibility of the providers to protect their customers is analogous to the two of us walking into a bar and you thinking that just because I'm a Marine that you can go pick the biggest, baddest mofo in the bar and pick a fight with him and it will be my job to fight him *for you*... I hate to tell you but, if that happend, I would drive you to the hospital and tell the triage nurse, My buddy wrote a check with his mouth that his body couldn't cash. He's all yours now. If you got blood on the interior of my car in the process, I'd make you pay for it. Granted, while I don't work for a transit carrier and manage a mere OC-3 worth of data to a few thousand end-users, it would be nice to have an IP-granular kill-switch system that I could use to signal an upstream router to stop sending data from a network or ASN because it's causing me problems. I can do it already at the host level with a system I fudged together, but the data still comes into my network before I can drop it. It exists. It's been around for quite some time. uRPF + RFC1998 And a newer concept: http://tools.ietf.org/id/draft-marques-idr-flow-spec-04.txt ~john -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org iD8DBQFG9Ct9+16lRpJszIgRAnNgAJwNClG9GR+v/5fi5teq1FuN3tnLdACggb6g kS1aFK1hQlA3XJHnZKvBhZw= =Itto -END PGP SIGNATURE- ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] Why ISP's and NSP's Love Botnets
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 J. Oquendo wrote: John Fraizer wrote: Access to ATLAS data is limited to ATLAS partners for multiple reasons, not the least of which being preventing the miscreants from knowing precisely how it is gathered, vetted and redistributed. And my further discussions with them didn't entail getting the keys to their kingdom's riches. It solely involved processing the IP addresses of attackers. You completely missed the entire concept of open source intelligence, didn't you? By limiting the scope of participants in the ATLAS project to known, trusted and highly vetted individuals who are themselves highly invested in the success of the project and who can provide large quantities of high confidence intelligence to the ATLAS project itself, Arbor is taking crucial steps towards circumventing open source intelligence gathering against the project itself. Define trusted individuals someone who puts enough money in your pocket? Um, how's this: Not you. Seriously though, if you have to ask for a definition, it is painfully obvious that this is beyond the scope of what can be explained to you. What? I've never seen any publicity about NSPs working together to do this and if it's not in the news and being blogged about, it just isn't happening! But who's fault is this? I would love to be able to ramble on my blog about contacting provider X and how good they were at addressing the issue. I've gone on countless mailing lists and asked does someone have a contact at X provider. (http://www.infiltrated.net/bfOld/) ... A simple bruteforcer script which would log information from bruteforce attackers. I used to parse that out with sed and awk and contact most network operators while in between doing work, etc. To this date, the most helpful individual and has been Dave at REN-ISAC. Dave Monnier and I cross paths pretty much a daily basis. He's a good guy and an invaluable resource to the community. I'm glad he was able to help you out. I also hope you'll understand that those of us who do hold the keys to the kingdom are unlikely to jump out of the shadows every time some squirrel yells, Help! Someone scanned me and set off my ZoneAlarm! We have finite resources to apply to an infinite number of issues. While you might consider someone trying to bruteforce ssh on your b0xen to be a high priority, it falls way below collecting forensics and doing flow analysis on a child pornography ring or tracking and mitigating state sponsored cyberterrorism being perpetrated against a DoE site in my book. You neglected to make your point so, I'll take this time to make mine again: There is a lot going on in the shadows to combat botnets and other miscreant activities that most folks don't have credentials to know about. I don't disagree with you in fact I wholeheartedly agree there are a lot idiots out there. Some of which I would like to personally introduce to the bottom of my Puma's however, there are some of us in the industry who do whatever it takes try and make our own networks safe. Um, I don't recall using the word idiot. I wasn't belittling anyone. I was pointing out that just because you don't know about something going on doesn't mean that it isn't going on. The bad guys aren't just 15-y/o zit-faced punks trying to impress their friends anymore. It is organized crime, terrorists, rogue nations, etc. These people don't have any more of a problem putting a bullet in your head than they do sending a ping-flood your way. For that reason, among others, the intelligence gathering and mitigation activities are conducted under the cloak of secrecy. It's all about operational security. ~john -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mandriva - http://enigmail.mozdev.org iD8DBQFG9C9k+16lRpJszIgRAlXYAJ4pO3qrGqAMaBWzQ16RNKg7O5IN+wCeLRWu OMF+dFpEcfsvH+rEPVnxOUM= =TuoV -END PGP SIGNATURE- ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] Why ISP's and NSP's Love Botnets
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] --John Fraizer wrote: Carrier grade routers are designed to route (or switch in the case of MPLS) packets at line-rate. When you start applying ACLs, the performance hit is not trivial - especially when you've got interfaces doing 1-Mpps+ under *normal* load. Alright, so let me start again... I stated if NAP's and NSP's contacted their customers lowly DS3 guys like me and stated Look here is what you need to do to avoid having your network send out garbage..., imagine for a second if a fraction of NAP's started implementing these policies how much garbage traffic would be curtailed. Go look and see how much a TMS costs. Now, consider a medium sided provider with a backbone that covers about 25 states. How many TMS devices does that provider need to deploy? How much extra capacity does that provider need to deploy on their network to be able to divert traffic to the closest TMS? And how much would it cost for the following: Dear Valued Customer, Beginning December 2007, we will be asking out customers to help make our networks more efficient. We ask that you view a set of pre-defined guidelines created by industry experts and implement them on your routers and switches. Should you need a assistance please contact us. Sincerely, Your Provider Working to make the Internet Safer. I wasn't the one who went out and started talking smack on IRC and invited Joe Botherder to take his best shot at me. It was my misguided customer. Its that customer I know I wouldn't want on my network. Even if they did pay X over bandwidth I just wouldn't want them. This notion that it is the responsibility of the providers to protect their customers is analogous to the two of us walking into a bar and you thinking that just because I'm a Marine that you can go pick the biggest, baddest mofo in the bar and pick a fight with him and it will be my job to fight him *for you*... Is it, I look at this analogy, you go to a car dealer say Nissan, purchase your car. Brake problems? I take it back to the dealer. Oh my, did email or call me to say an attacker has the potential to affect the GPS and re-route my destination even stop me from getting there. Wow, and you even sent me instructions on how to avoid it. Know what, I'd appreciate that car dealer. I'd even go tell another Nissan owner, hey did you hear the news... It exists. It's been around for quite some time. uRPF + RFC1998 And a newer concept: http://tools.ietf.org/id/draft-marques-idr-flow-spec-04.txt I meant to make mention of a lot of things. When I rambled on it was rambling on. It was to make a point, I'm sure there are tons of things a lowly provider can do maybe they're misguided as you say I am, maybe some just don't know about these things. How about guidance from the big boys. How about a template from the industry's experts. How about guidance from the big boys before its too late: http://www.darkreading.com/document.asp?doc_id=130745 I sincerely enjoy word for word the learning experience here so please don't misunderstand my communication at any given time and should you tell me to STFU I'd respect that too, but I'm trying to understand why it can't be done and sadly I'm still seeing nothing more then an excuse. Not from you per-se but overall there is STILL no reason why networks can't be cleaner. The bad guys aren't just 15-y/o zit-faced punks trying to impress their friends anymore. It is organized crime, terrorists, rogue nations, etc. These people don't have any more of a problem putting a bullet in your head than they do sending a ping-flood your way. For that reason, among others, the intelligence gathering and mitigation activities are conducted under the cloak of secrecy. It's all about operational security. Understandable as well and appreciated on the schooling I'm getting. J. Oquendo Excusatio non petita, accusatio manifesta http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xF684C42E sil . infiltrated @ net http://www.infiltrated.net smime.p7s Description: S/MIME Cryptographic Signature ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] Why ISP's and NSP's Love Botnets
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 J. Oquendo wrote: John Fraizer wrote: Carrier grade routers are designed to route (or switch in the case of MPLS) packets at line-rate. When you start applying ACLs, the performance hit is not trivial - especially when you've got interfaces doing 1-Mpps+ under *normal* load. Alright, so let me start again... I stated if NAP's and NSP's contacted their customers lowly DS3 guys like me and stated Look here is what you need to do to avoid having your network send out garbage..., imagine for a second if a fraction of NAP's started implementing these policies how much garbage traffic would be curtailed. Fergie, do you wanna tell him about BCP38 and how long it's been around or should I? Nevermind. I will: http://www.faqs.org/rfcs/bcp/bcp38.html Beyond that it's about *user* education and some...er...*MOST* users are simply unwilling or unable to be educated. How long have people been told not to open attachments from unknown senders? And what is the primary distribution vector for Storm? And how much would it cost for the following: Dear Valued Customer, Beginning December 2007, we will be asking out customers to help make our networks more efficient. We ask that you view a set of pre-defined guidelines created by industry experts and implement them on your routers and switches. Should you need a assistance please contact us. Sincerely, Your Provider Working to make the Internet Safer. Sadly, one does not have to show proof or proficiency to purchase a computer and/or obtain internet connectivity. You can send all the letters you want to the customer. Until it is *PAINFUL* for them, they are not going to do anything. The level of pain varies on a case by case basis. There is no silver bullet. Outside of sending out a competent individual to personally visit every customer and apply (by force if necessary) the best current practices, patch their operating systems and applications and watch over their shoulder to prevent them from doing stupid things like opening unknown attachments or blindly clicking every link they find on the net, you are not going to clean up the net. I ask you, how much is THAT going to cost? You know that the USER is not going to pay for it. As far as they're concerned, there isn't a problem and if it ain't broke, they're not gonna fix it! I wasn't the one who went out and started talking smack on IRC and invited Joe Botherder to take his best shot at me. It was my misguided customer. Its that customer I know I wouldn't want on my network. Even if they did pay X over bandwidth I just wouldn't want them. OK. Would you want the customer who opened up an attachment in email which infected them allowing their machine to be used as a proxy for some miscreant to go on IRC and invite Joe Botherder to take his best shot??? How about the customer who gets infected by downloading the latest war3z and gets infected and their machine starts scanning the closest 4 /8's worth of address space, eventually triggering an inbound DDoS because they tickled some Storm infected hosts in just the right way? Oh, no. We don't want them either. We only want highly vigilant, safe browsing, not miscreant attention attracting customers. Do you know the problem with that business model? There are not enough clued-in customers to go around. Is it, I look at this analogy, you go to a car dealer say Nissan, purchase your car. Brake problems? I take it back to the dealer. Oh my, did email or call me to say an attacker has the potential to affect the GPS and re-route my destination even stop me from getting there. Wow, and you even sent me instructions on how to avoid it. Know what, I'd appreciate that car dealer. I'd even go tell another Nissan owner, hey did you hear the news... Product defect and user education are not anywhere close to being the same thing. The ISP/NSP is doing *exactly* what the customer is paying for by carrying the packets (good and bad) to/from endpoint to endpoint. It is the customers who are becoming infected causing their machines to send the bad packets. Is it the responsibility of the car dealer to prevent you from purchasing the car if you have a history of running into other cars? No it isn't. Is it the responsibility of the car dealer to prevent you from purchasing the car if you have a history of being the victim in automobile collisions? No. It is the responsibility of the car dealer to sell you whatever car you desire to purchase and can provide funding for. A brake problem with a new car would be analogous to a bad piece of provider issued CPE or a mismatched MTU on a P-t-P circuit. That's not what we're talking about here. We're talking about people who think that setting cruise control is the same as engaging the auto-pilot on a 767. When they set the cruise and recline the
Re: [botnets] Why ISP's and NSP's Love Botnets
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] --On Fri, Sep 21, 2007 at 10:02:32PM +, John Fraizer babbled thus: *snip* Again, there is no silver bullet. It is *NOT* the responsibility of the providers to force safe computing down the throat of their customers. I disagree with this. By your reasoning, it's not the responsibility of the university I work for to make sure students don't put infected machines on the network (we actually take a very proactive approach to minimize the number of 'problem' machines we have on the network). To go back to your earlier analogy of a user enticing Joe Botherder, you're right - there's little an ISP can do in that case. But when you're talking about machines actively sending out spam/involved in a DDoS/etc., then yes, it *is* the ISP's responsibility to do something. I'm not saying an ISP should be watching everything that goes on on it's network at all times. However, when an abuse department is contacted about a problem machine on the ISP's network, it is most definitely the ISP's responsibility to investigate, attempt to contact the owner, and as a last resort, pull it off the network. If an ISP weren't to take responsibility for the machines, who would? The user? As you pointed out, that's rather unlikely. :) The real question is - what do we do with ISPs which ignore abuse reports, like Turk Telekom, RDSNet, or QualityNet? *snip* ~john -- PinkFreud Chief of Security, Nightstar IRC network irc.nightstar.net | www.nightstar.net Server Administrator - Blargh.CA.US.Nightstar.Net Unsolicited advertisements sent to this address are NOT welcome. signature.asc Description: Digital signature ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] Why ISP's and NSP's Love Botnets
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] --I don't think that ISPs are going to care until there is a business model that will make them money(or save it) and not cost them a bunch of money/staff overhead. It costs a great deal to staff an abuse department that knows what they are doing, there isn't really any value for the ISP to take down a botted machine that is sending spam, unless it is effecting their core business. Just my two cents... Look at TTNET, they don't do anything about complaints(from what I can tell). On 9/21/07, PinkFreud [EMAIL PROTECTED] wrote: To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- On Fri, Sep 21, 2007 at 10:02:32PM +, John Fraizer babbled thus: *snip* Again, there is no silver bullet. It is *NOT* the responsibility of the providers to force safe computing down the throat of their customers. I disagree with this. By your reasoning, it's not the responsibility of the university I work for to make sure students don't put infected machines on the network (we actually take a very proactive approach to minimize the number of 'problem' machines we have on the network). To go back to your earlier analogy of a user enticing Joe Botherder, you're right - there's little an ISP can do in that case. But when you're talking about machines actively sending out spam/involved in a DDoS/etc., then yes, it *is* the ISP's responsibility to do something. I'm not saying an ISP should be watching everything that goes on on it's network at all times. However, when an abuse department is contacted about a problem machine on the ISP's network, it is most definitely the ISP's responsibility to investigate, attempt to contact the owner, and as a last resort, pull it off the network. If an ISP weren't to take responsibility for the machines, who would? The user? As you pointed out, that's rather unlikely. :) The real question is - what do we do with ISPs which ignore abuse reports, like Turk Telekom, RDSNet, or QualityNet? *snip* ~john -- PinkFreud Chief of Security, Nightstar IRC network irc.nightstar.net | www.nightstar.net Server Administrator - Blargh.CA.US.Nightstar.Net Unsolicited advertisements sent to this address are NOT welcome. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFG9ILObDkJRSE/3qkRAvtpAJoCkSTQTkG+tDphQYrzadZwGWSRuACfYQY2 NavCqdahxVgjMz3i52jrIUc= =vobv -END PGP SIGNATURE- ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] Why ISP's and NSP's Love Botnets
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- James Pleger [EMAIL PROTECTED] wrote: I don't think that ISPs are going to care until there is a business model that will make them money(or save it) and not cost them a bunch of money/staff overhead. It costs a great deal to staff an abuse department that knows what they are doing, there isn't really any value for the ISP to take down a botted machine that is sending spam, unless it is effecting their core business. Perhaps, but the pressure is mounting. Until that time, we have this: https://nssg.trendmicro.com/nrs/reports/rank.php?page=1 - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.6.3 (Build 3017) wj8DBQFG9JMRq1pz9mNUZTMRAi87AJ961/RNFtepDJWJ/UVolAaTvMokPACgiHSt 3xAOllvZNosx9+WUEWLv4K0= =zrci -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/ ___ To report a botnet PRIVATELY please email: [EMAIL PROTECTED] All list and server information are public and available to law enforcement upon request. http://www.whitestar.linuxbox.org/mailman/listinfo/botnets
Re: [botnets] Why ISP's and NSP's Love Botnets
To report a botnet PRIVATELY please email: [EMAIL PROTECTED] -- -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 PinkFreud wrote: On Fri, Sep 21, 2007 at 10:02:32PM +, John Fraizer babbled thus: *snip* Again, there is no silver bullet. It is *NOT* the responsibility of the providers to force safe computing down the throat of their customers. I disagree with this. By your reasoning, it's not the responsibility of the university I work for to make sure students don't put infected machines on the network (we actually take a very proactive approach to minimize the number of 'problem' machines we have on the network). Two points: 1) Protecting your network != forcing safe computing down the throat of your customers. While _you_ can place infected users into a walled garden which will provide them motivation to clean their infected/compromised machine, you still can not force the user to practice safe computing. You can make the alternative inconvenient for them but, only the user can make the conscious decision to not do stupid things. 2) UNI Network != Service Provider Network. As a UNI Network, you have the ability to place users into a walled garden without fear of the user voting with their wallet. IE; The UNI gets their money even if the student is walled for the entire school term. Add the real threat of litigation on the part of customers of actual service providers (ISP/NSP) who sue the provider for interruption of business, etc and you can see that while you as a UNI Network may have several Gb/s worth of transit + I2 capacity, a bunch of 15Ks, 12Ks and 7600s in your network like the rest of the big boys, the customer:provider relationship is completely different. Even when a customer is in violation of an AUP/TOS, it is a difficult sale to legal to just admin down the customer facing interface or otherwise send a shot across the bow to get the customers attention. Our customer-facing folks have brought me into calls where the customer had to call back via their cellphone - they were unable to complete a VoIP call because their connection was so saturated with outbound DoS traffic - and the customer was actually arguing that there was no way they were compromised because they didn't run Windows. This same customer decided to go the executive escalation path where VPs, SVPs and C*O's are brought into the mix, threatening litigation, blah blah blah. I was eventually able to convince the customer that they did in fact have compromised machines on their network but only after they physically disconnected the switch uplink to their compromised servers and their VoIP miraculously started working again. To go back to your earlier analogy of a user enticing Joe Botherder, you're right - there's little an ISP can do in that case. But when you're talking about machines actively sending out spam/involved in a DDoS/etc., then yes, it *is* the ISP's responsibility to do something. I'm not saying an ISP should be watching everything that goes on on it's network at all times. However, when an abuse department is contacted about a problem machine on the ISP's network, it is most definitely the ISP's responsibility to investigate, attempt to contact the owner, and as a last resort, pull it off the network. Please don't misunderstand. I am in no way shape or form stating that it is not the responsibility of a service provider to actively and aggressively field complaints. I'll go one step further and say that in my opinion, service providers should proactively monitor their networks for anomolous traffic and vigerously investigate anything that causes bells and whistles to start going off. That is not the same thing as forcing safe computing onto your customers however. If I had my way, no end-users would be logging into a privlidged account on *ANY* platform to do non-admin tasks. There is absolutely no reason for a user to have Administrator privlidges while surfing the net, checking email or chatting on their favorite instant messaging client. Tell me what percentage of end-users create and *USE* a luser account and *USE* it vs the default, balls-to-the-wall Administrator privlidge account on their winblows machine if they received notification that it was the smart thing to do or it was best current practice? If an ISP weren't to take responsibility for the machines, who would? The user? As you pointed out, that's rather unlikely. :) The question that has to be asked before ultimate responsibility can be established is Whos machine is it? If you're MegaCompany, Inc, the machine could be a server on your corporate network, a desktop machine at a cubicle or even the laptop of an outside sales rep who is connecting via VPN. If you're RackSpace, the machine is yours and the customer pays you for the ability to utilize the machine. If you're Cox Cable, the machine most likely belongs to Billy-Bob enduser. If you're Verizon Business, the
