That is one way to do it. The other is to detect ( If you can) the mac address of the offending traffic and block that. You can do this at the AP ( Access Point ) on the customers side. Or stick it in your AUP that if customers have AP's in there houses and don't apply basic security measures. ( like not use WEP, LEAP, or WPA (WPA II is still ok I think) ) You will run the risk of losing service. The other thing you could do is enable WPA II and EAP on your home network. Then again normal end users don't want to or have the required skills to do so. Even simple MAC Address filtering and turning off the SSID beacon stops 85% of rogue wireless network associations.
-Miller On 2/14/07, Ben Barrett <[EMAIL PROTECTED]> wrote:
Here's a troubling scenario surrounding rate-limiting by ISP's, if they were to find malware traffic on a customer's connection. If the customer runs an open wifi hotspot, then introducing malware traffic (whether it is really from an infected machine or just replayed) would DoS the owner of the connection. Anyone see an easy way around this? Possibly adopting ipv6 and removing NATs? ben On 2/14/07, Michael Miller <[EMAIL PROTECTED]> wrote: > > Mike, > > You bring up a good point. You can't always block the bad traffic. I > do think the software and logic is getting better than what we had 3 > years ago to work with. That said we all so didn't have the problems > we have today. Yes blocking, inspecting and rate limiting all cause > network latency. One thing that Windows XP does well is to identify ( > If you use the firewall and have a clean machine. ) new ports that > where not in use before and identify and ask if you want X program to > have network access. The problem is not all end users are going to > understand what that means. One way ISPS can help out the end user is > to use transparent proxy devices. I know Comcast used to or still > does use them on there network. I just don't know if there doing any > in line virus scanning. Doing that type of protection on a business > or carrier network can help to prevent users machines from becoming > problem machines. ( Do a google news search for Banner Ad Malware > infections. ) I know I might sound like the end users are the > problem. I think the problem is software development organisations > and carriers see this as not there problem. When in fact it is there > problem and there enabling bad stuff to happen to end users machines. > Now if Comcast wants to shutdown everything but a small amount of > ports including 25 and 22. It would force me to start using VPN > tunnels or GRE tunnels to forward traffic. Not a bad thing IMHO > because if your machine is infected. That means who ever is providing > you mail routing services will drop your tunnel unless you fix your > problem. That being said if you also rate limit out going http > sessions or https session on port 80 and 443. (Which should not be > happening if your a $ISP) you will stop some if not many DDOS attacks. > > My $0.02. > > -Miller > > On 2/14/07, Mike Cherba <[EMAIL PROTECTED]> wrote: > > FYI, One of the major reasons ISPS don't just do this is that > > identifying things like botnet traffic isn't always easy to do without > > spending a lot of computing cycles. Spending those cycles at the very > > least results in increased latency. I know of several companies who are > > building next gen routers which will have low latency in line virus > > scanning and IDS/IP features. I have to belivee that at least some of > > these systems can be taught to recognize and filter "bad traffic". The > > problem is "What is bad traffic?" > > > > Another tactic is to push the brains out to the edge. If the PC/User > > can't prevent infection, the ISP can hope to limit the spread. Things > > like tight firewalls on the Cable Modem or DSL routers that block > > outgoing ports unless configured differently make a big difference here. > > With some of the newer boxes it is "safer" for an ISP to start with a > > "block everything except webpages" approach because the control panels > > don't require the user to understand ports. They just have to check > > boxes for what traffic they want to allow through from alist containing > > things like the names of games and applications. The firewall then > > allows these outbound and can even specify what times of day the traffic > > should be allowed through. for example you could block all gaming > > related traffic except on weekday evening between 4:00PM and 10:00 PM > > and weekends between 10:00AM and 10:00PM. > > -Mike > > > > > > "Software Engineering is that part of Computer Science which is too > > difficult for the Computer Scientist." --— F. L. Bauer. > > > > > > On Tue, 2007-02-13 at 14:11 -0800, Ben Barrett wrote: > > > Well stated situation, Bob. However, I was trying to propose > > > something > > > more akin to a backbone policing endeavor, which would ideally keep > > > any > > > major botnet infections from taking hold -- there will always be > > > zero-day > > > issues, of course, but by the time 10K machines are infected, it > > > should > > > be easy enough to identify their traffic and simply eliminate it. > > > > > > So the scenario I envision would be one where the customer only has > > > an issue b/c their computer is running so slow (any successful > > > small-time > > > or failing big-time infections have similar effects as they do today), > > > at > > > which point the user does whatever they wish, call RentANerd, etc. > > > > > > My idea (well not MINE) is to simply squelch the channels by which the > > > botnets are attempting to do their own useful work, and also the > > > channels > > > by which the update themselves and spread. Again, this would only > > > affect > > > major & known botnets/malware, but ... imagine for instance if our > > > networks > > > only had to support 1/10 or 1/1000 the amount of spam! We'd all be > > > jumping > > > for joy, and shouting, "It works! It works!" :) > > > > > > So yeah, I don't expect any small-beans ISP's to deal with it, I > > > expect some > > > sort of global or nation policing effort, ON the backbone, so to > > > speak... > > > of course, the implementation could go horribly wrong, and the system > > > itself could be compromised... but getting it wrong is how we best > > > learn > > > to get it right, correct? Pie in the sky, at present, as far as I > > > know, since > > > I haven't been participating in the Portland Infraguard group for a > > > few years, > > > but I expect that these things are in fact discussed by those with > > > both the > > > might and the right to get're done. > > > > > > cheers, > > > > > > ben > > > > > > > > > PS - To summarize, it'd have to be "good for business". Reducing > > > traffics jams > > > and increasing accident-recovery times are crucial for the shipping > > > industries > > > who rely on the public roadways, isn't this about the same as the > > > internet? > > > (No, we wouldn't have state troopers rebuilding your carburetor when > > > you're > > > pulled over...) > > > > > > > > > On 2/13/07, Bob Miller < [EMAIL PROTECTED]> wrote: > > > Ben Barrett wrote: > > > > > > > And why aren't google, microsoft, and major ISP's really > > > cracking down > > > > on the botnet infrastructure?? They have all the tools and > > > the power.... > > > > > > Let's see what happens. $ISP puts in place a system to > > > identify > > > pwnzored boxes. The first day, they identify 250,000 of > > > them. So > > > they select a random 10,000 and shut off their internet > > > access. > > > > > > "Customer Support, may I help you?" > > > "The Internet is broken." > > > "Let me check... Oh, your computer is part of a > > > 'botnet. We shut > > > it off for your protection." > > > "What do you mean I bought part of .NET?" > > > "Your computer is infected with malware and is ruining > > > the > > > internet for everyone else. We shut off your > > > connection." > > > "Well how do I get it turned on again?" > > > "[hold hand for five hours while reinstalling > > > Windows+patches+antivirus yada yada]" > > > "Thanks!" <click> > > > > > > 2 days later: > > > > > > "Customer Support, may I help you?" > > > "The Internet is broken again!" > > > "Let me check... Your compuer is infected again." > > > "This sucks. My brother uses AOL and he never has these > > > problems. > > > I'm switching to AOL. Cancel my account. You suck. I'm > > > telling > > > all my friends you suck." <click> > > > > > > Net result for $ISP: huge customer service costs, many lost or > > > PO'd > > > customers. So $ISP certainly isn't going to take the > > > initiative. You > > > can write your own dialogue about what would happen if Google > > > tried > > > it. Microsoft, to its credit, did clean up XP a lot in > > > Service Pack > > > 2, and suffered from a delayed and feature-free Vista, costing > > > shareholders billions. > > > > > > -- > > > Bob Miller K<bob> > > > [EMAIL PROTECTED] > > > _______________________________________________ > > > EUGLUG mailing list > > > euglug@euglug.org > > > http://www.euglug.org/mailman/listinfo/euglug > > > > > > _______________________________________________ > > > EUGLUG mailing list > > > euglug@euglug.org > > > http://www.euglug.org/mailman/listinfo/euglug > > > > _______________________________________________ > > EUGLUG mailing list > > euglug@euglug.org > > http://www.euglug.org/mailman/listinfo/euglug > > > _______________________________________________ > EUGLUG mailing list > euglug@euglug.org > http://www.euglug.org/mailman/listinfo/euglug > _______________________________________________ EUGLUG mailing list euglug@euglug.org http://www.euglug.org/mailman/listinfo/euglug
_______________________________________________ EUGLUG mailing list euglug@euglug.org http://www.euglug.org/mailman/listinfo/euglug
