Re: SORBS Contact
On Sun, Aug 13, 2006 at 09:11:58PM -0700, David Schwartz wrote: > > Your argument is similar to a mall that claims they can shoot people who > don't buy anything. After all, their only obligation is to those who pay > them. But of course neither you nor they can do that. By setting up a > network and connecting it to the Internet, you know that you will sometimes > carry packets that are neither from nor to someone with whom you have a > contract. Those are not your packets, and you have no contract with their > owners, but you handle them in the ordinary course of your business, so you > have a variety of tort obligations to them. Whatever you're smoking, you've really gotta share some with the rest of us. :P I guarantee you that there is not a single packet that I will route which is neither from nor to someone I have a contract with. If you want to give away free service to people without contracts that is your right, but I sure as hell don't have to. > The same would be the case if I used FedEx to return something of > yours to you. If they destroyed your property, you would have a claim > against them even though you didn't pay them for anything. Packets are not property, there is no intrinsic value in returning them to sender. Plus I guarantee you if you drop off a package with Fedex and don't pay for it (thus entering into a contract with them for services), they will eventually throw it in the trash rather than deliver it. > Of course, you can protect your own network. Just as FedEx can destroy a > bomb if someone tries to ship it through them. But you cannot do whatever > you want with "your packets" unless they really are your packets. The only thing you probably CAN'T do is take someone else's packets that were sent to you (either under contract or not) and sniff or alter them for the purpose of doing something Bad (tm) with the data (probably because said bad activity is already convered under some existing law, e.g. no extorting people, no impersonating others, etc). -- Richard A Steenbergen <[EMAIL PROTECTED]> http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
RE: SORBS Contact
> Obligation to _whom_? My only obligations are to those who _pay_ me for > access to my systems/resources. If the people who *do* pay me for use of > my systems/resources "don't want" that cr*p, then I do 'have an > obligation' > to _not_ deliver that traffic. Nonsense. You have tort obligations as well as contractual obligations. Specifically, if you take custody of someone else's data, and you have no contract with that person, you have a tort obligation not to destroy it. Your argument is similar to a mall that claims they can shoot people who don't buy anything. After all, their only obligation is to those who pay them. But of course neither you nor they can do that. By setting up a network and connecting it to the Internet, you know that you will sometimes carry packets that are neither from nor to someone with whom you have a contract. Those are not your packets, and you have no contract with their owners, but you handle them in the ordinary course of your business, so you have a variety of tort obligations to them. The same would be the case if I used FedEx to return something of yours to you. If they destroyed your property, you would have a claim against them even though you didn't pay them for anything. I see the view you are expressing quite commonly among network operators and it is, IMO, dangerous. It is, of course, your network. But it handles other people's data. Of course, you can protect your own network. Just as FedEx can destroy a bomb if someone tries to ship it through them. But you cannot do whatever you want with "your packets" unless they really are your packets. I will defend your right to do anything reasonable. However, it is incorrect and dangerous to assert that because it's "your network" you can do anything you want. Even if it's your mall, you can't invite people into it and then shoot them just because you have no contract with them. DS
Re: New Laptop Polices
Scott Morris wrote: "E-mail rest in peace? That is what I tried to indicate. An exchange somewhere (I can't now find it) went something like: God is dead - Nietzsche Nietzsche is dead - God Email is dead - Larry To which I added that it will someday be Larry is dead - Email but it will get lost in somebody's spam sump. A cause does not create/allow action? " Ex turpi causa non oritur actio -- Lawyer Latin for "No cause of action may be founded upon an immoral or illegal act." which is my answer to the If-you-don't-deliver-my-spam-I'll-sue-you crowd. I am not a lawyer. And I have never been trained in Latin. -- Requiescas in pace o email Ex turpi causa non oritur actio http://members.cox.net/larrysheldon/
RE: New Laptop Polices
Not that I have a whole lot to add (other than we're spending lots of time talking about something only affecting UK --:> US flights at this moment)... But I was intrigued by your latin there. "E-mail rest in peace? A cause does not create/allow action? " My memories from high school are a tad shady these days, but am I getting the general idea there? Definitely interesting. Caught my eye. ;) Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laurence F. Sheldon, Jr. Sent: Sunday, August 13, 2006 6:35 PM To: nanog@merit.edu Subject: Re: New Laptop Polices joe mcguckin wrote: > Why not put critical or proprietary files on a flash key? I carry a > 4G flash key on my keyring. Airport security has never given it a > second look. If the laptop ends up in the hands of a sticky-fingered > baggage handler (or the TSA), there's nothing there for them to find. Recent reports said you were allowed to carry passport, medicines required for the trip, and one or two other items that did not include any metallic objects as I recall. > And, to defeat the nosey customs folk who now want to login and > rummage around your files when you enter the US, create a dummy > account and give them that login when they insist on inspecting your > laptop for "child porn". I've got nothing to hide, but I don't want > some ham handed idiot accidently deleting stuff either... I wonder what they are trained to look for. -- Requiescas in pace o email Ex turpi causa non oritur actio http://members.cox.net/larrysheldon/
Re: New Laptop Polices
joe mcguckin wrote: Why not put critical or proprietary files on a flash key? I carry a 4G flash key on my keyring. Airport security has never given it a second look. If the laptop ends up in the hands of a sticky-fingered baggage handler (or the TSA), there's nothing there for them to find. Recent reports said you were allowed to carry passport, medicines required for the trip, and one or two other items that did not include any metallic objects as I recall. And, to defeat the nosey customs folk who now want to login and rummage around your files when you enter the US, create a dummy account and give them that login when they insist on inspecting your laptop for "child porn". I've got nothing to hide, but I don't want some ham handed idiot accidently deleting stuff either... I wonder what they are trained to look for. -- Requiescas in pace o email Ex turpi causa non oritur actio http://members.cox.net/larrysheldon/
Re: New Laptop Polices
Why not put critical or proprietary files on a flash key? I carry a 4G flash key on my keyring. Airport security has never given it a secondlook. If the laptop ends up in the hands of a sticky-fingered baggage handler (or the TSA), there's nothing there for them to find.And, to defeat the nosey customs folk who now want to login and rummage around your files when you enter the US, create a dummyaccount and give them that login when they insist on inspecting your laptop for "child porn". I've got nothing to hide, but I don't want someham handed idiot accidently deleting stuff either...Joe McGuckinViaNet Communications[EMAIL PROTECTED]650-207-0372 cell650-213-1302 office650-969-2124 fax On Aug 12, 2006, at 7:44 AM, Todd Vierling wrote:On 8/11/06, Christopher L. Morrow<[EMAIL PROTECTED]> wrote: > It's also a great time to plant some file that POOF the authorities> will decrypt & show it's kiddie porn. {Or just hide same in your> browser cache.} Do YOU know what every frigging file on your> machine is?and here I was thinking: "Quick! buy stock in whole disk encryptionsoftware makers!" Any laptop NOT using full disk encryption from the moment of boot-upis begging for trouble. As has been pointed out many times, laptopsDO get lost, and not just in airline facilities.This can be accomplished with just about any OS. Some require loadingan OS kernel first with a custom ramdisk or mini-partition to kick offthe encrypted disk driver; others can use off the shelf productsdesigned expressly for this purpose.The only thing that bugs most people about full disk encryption isthat it often doesn't support "hibernation" -- but if the hardware hasa standby power save mode that is low enough on power consumption (S3or similar), that shouldn't be a problem.-- -- Todd Vierling <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
Re: i am not a list moderator, but i do have a request
My personal opinion is that _some_ bitnet issues are indeed relevant to the NANOG list, but that's just me. :-) I mean, it _does_ affect network ops at times... - ferg -- Thomas Kuehling <[EMAIL PROTECTED]> wrote: Dear Fergie, On So, 2006-08-13 at 21:49 +, Fergie wrote: > For what it's worth, there _is_ a botnet discussison list: > > General information about the mailing list is at: > > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets thanks, didn't know about it. But isn't it still usefull, when urgent matters concerning botnets will still discussed on the nanog-list? Please let me disabussed to it, but it's just my opinion. Regards Thomas > - ferg > > > -- Thomas Kuehling <[EMAIL PROTECTED]> wrote: > > Dear all, > > On So, 2006-08-13 at 15:17 -0600, Danny McPherson wrote: > > > Interestingly enough, I lurk here 99.999% of the time. I comment > > on this thread and folks ask to move it to a non-SP mailing list? > > Perhaps > > non-operational, but this certainly has direct implications on SPs and > > I'm of the opinion it's quite relevant - well, certainly as relevant > > as the > > past recent threads: > > i waited to view, where this discussion will go, but that's exactly the > point. In my opinion, it's really interesting and necessary to be > informed about topics like botnets. It would be a failure, when this > topics won't be discussed anylonger on this list. Also it isn't that a > big problem, to filter topics for himself for relevance or of no > relevance. > > Just my two cents. > > Regards > Thomas Kuehling > > > -- > Thomas Kuehling - TK2325-RIPE > Hoehestrasse 28 - 61348 Bad Homburg vor der Höhe - Hessen > Jahnstrasse 6 - 26219 Boesel - Niedersachsen > > -- > "Fergie", a.k.a. Paul Ferguson > Engineering Architecture for the Internet > fergdawg(at)netzero.net > ferg's tech blog: http://fergdawg.blogspot.com/
Re: i am not a list moderator, but i do have a request
Dear Fergie, On So, 2006-08-13 at 21:49 +, Fergie wrote: > For what it's worth, there _is_ a botnet discussison list: > > General information about the mailing list is at: > > http://www.whitestar.linuxbox.org/mailman/listinfo/botnets thanks, didn't know about it. But isn't it still usefull, when urgent matters concerning botnets will still discussed on the nanog-list? Please let me disabussed to it, but it's just my opinion. Regards Thomas > - ferg > > > -- Thomas Kuehling <[EMAIL PROTECTED]> wrote: > > Dear all, > > On So, 2006-08-13 at 15:17 -0600, Danny McPherson wrote: > > > Interestingly enough, I lurk here 99.999% of the time. I comment > > on this thread and folks ask to move it to a non-SP mailing list? > > Perhaps > > non-operational, but this certainly has direct implications on SPs and > > I'm of the opinion it's quite relevant - well, certainly as relevant > > as the > > past recent threads: > > i waited to view, where this discussion will go, but that's exactly the > point. In my opinion, it's really interesting and necessary to be > informed about topics like botnets. It would be a failure, when this > topics won't be discussed anylonger on this list. Also it isn't that a > big problem, to filter topics for himself for relevance or of no > relevance. > > Just my two cents. > > Regards > Thomas Kuehling > > > -- > Thomas Kuehling - TK2325-RIPE > Hoehestrasse 28 - 61348 Bad Homburg vor der Höhe - Hessen > Jahnstrasse 6 - 26219 Boesel - Niedersachsen > > -- > "Fergie", a.k.a. Paul Ferguson > Engineering Architecture for the Internet > fergdawg(at)netzero.net > ferg's tech blog: http://fergdawg.blogspot.com/
Re: mitigating botnet C&Cs has become useless
Sean Donelan wrote: On Sun, 13 Aug 2006, Laurence F. Sheldon, Jr. wrote: This morning's Omaha Weird Harold has a front-page item about the City installing free wiffy hotspots around town. It may be time for you to reconsider the options on the buggy-whip plant. Any information about how the City plans to solve the problem of their citizens using compromised PCs via their WiFi hotspots around town? Not even any word on how they will pay for it, what with a number of expensive vote getters^W^Wcivic projects having spent the available money a couple of times. But that is not really a new problem--the State of Iowa has (some time ago) equipped the highway rest areas and there are enough Starbucks around that you wonder why the City needs to do anything. -- Requiescas in pace o email Ex turpi causa non oritur actio http://members.cox.net/larrysheldon/
Re: i am not a list moderator, but i do have a request
For what it's worth, there _is_ a botnet discussison list: General information about the mailing list is at: http://www.whitestar.linuxbox.org/mailman/listinfo/botnets - ferg -- Thomas Kuehling <[EMAIL PROTECTED]> wrote: Dear all, On So, 2006-08-13 at 15:17 -0600, Danny McPherson wrote: > Interestingly enough, I lurk here 99.999% of the time. I comment > on this thread and folks ask to move it to a non-SP mailing list? > Perhaps > non-operational, but this certainly has direct implications on SPs and > I'm of the opinion it's quite relevant - well, certainly as relevant > as the > past recent threads: i waited to view, where this discussion will go, but that's exactly the point. In my opinion, it's really interesting and necessary to be informed about topics like botnets. It would be a failure, when this topics won't be discussed anylonger on this list. Also it isn't that a big problem, to filter topics for himself for relevance or of no relevance. Just my two cents. Regards Thomas Kuehling -- Thomas Kuehling - TK2325-RIPE Hoehestrasse 28 - 61348 Bad Homburg vor der Höhe - Hessen Jahnstrasse 6 - 26219 Boesel - Niedersachsen -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg(at)netzero.net ferg's tech blog: http://fergdawg.blogspot.com/
Re: mitigating botnet C&Cs has become useless
On Sun, 13 Aug 2006, Laurence F. Sheldon, Jr. wrote: This morning's Omaha Weird Harold has a front-page item about the City installing free wiffy hotspots around town. It may be time for you to reconsider the options on the buggy-whip plant. Any information about how the City plans to solve the problem of their citizens using compromised PCs via their WiFi hotspots around town?
Re: i am not a list moderator, but i do have a request
Dear all, On So, 2006-08-13 at 15:17 -0600, Danny McPherson wrote: > Interestingly enough, I lurk here 99.999% of the time. I comment > on this thread and folks ask to move it to a non-SP mailing list? > Perhaps > non-operational, but this certainly has direct implications on SPs and > I'm of the opinion it's quite relevant - well, certainly as relevant > as the > past recent threads: i waited to view, where this discussion will go, but that's exactly the point. In my opinion, it's really interesting and necessary to be informed about topics like botnets. It would be a failure, when this topics won't be discussed anylonger on this list. Also it isn't that a big problem, to filter topics for himself for relevance or of no relevance. Just my two cents. Regards Thomas Kuehling -- Thomas Kuehling - TK2325-RIPE Hoehestrasse 28 - 61348 Bad Homburg vor der Höhe - Hessen Jahnstrasse 6 - 26219 Boesel - Niedersachsen
Re: i am not a list moderator, but i do have a request
On Aug 13, 2006, at 1:02 PM, Paul Vixie wrote: which is, please move these threads to a non-SP mailing list. R [ 41: Danny McPherson ] Re: mitigating botnet C&Cs has become useless R [ 22: "Laurence F. Sheldon] R < 45: Danny McPherson > R [ 62: "Laurence F. Sheldon] R [ 162: "J. Oquendo"] Re: [Full-disclosure] what can be done with botnet C&C's? R < 211: "Payam Tarverdyan Ch> R [ 66: Michael Nicks ] i already apologized to the moderators for participating in a non- ops thread here. there are plenty of mailing lists for which botnets are on- topic. nanog is not one and should not become one. nanog has other useful purposes. Interestingly enough, I lurk here 99.999% of the time. I comment on this thread and folks ask to move it to a non-SP mailing list? Perhaps non-operational, but this certainly has direct implications on SPs and I'm of the opinion it's quite relevant - well, certainly as relevant as the past recent threads: SORBS Contact New Latop Policies Fingerprinting and SPAM ID MPLS Gear for Outside Plant [perhaps] Fedex Contact Citrix Load-balancing Detecting Parked Domains I suppose it's more "what I feel like reading and sending email about", as opposed to whether/what's on topic or not. I'm done with this thread on NANOG - else the slew of "me too" responses on this "list moderator" thread will divert attention from alternative cruft... Wondering if I should send a message to NANOG every time I see a thread of questionable NANOG relevance, -danny
nanog@merit.edu
Though placing a /32 to a discarded interface helps the situation, you are now fully disabling your client that uses the /32... I do agree that it definitely helps the situation... specially when the attack is a few mil pps or perhaps even few gigs/sec in which case a customer /32 or bigger being down is about 100x better then your network being down. so my question is then how do you use the same method for your peering sessions (assuming you do peering on a private or public level)... seeing how 95% of peers will not allow such specific entries such as /32 into their tables... so in case of an attack you are left with either having to take down the peering session or stop advertising the prefix though that peer. Just curious as to how you go about it... cheers, -Payam > > I hate to stir the flames again, but this idea sounds a lot like RBLs. :) > > All kidding aside, I'm curious as to when we will reach the point where > the devices of our networks will be able to share information regarding > sporadic bursts or predefined traffic patterns in network traffic within > a certain time frame, determine it is a related outgoing (or incoming) > attack, and mitigate/stop the traffic. I think it certainly is possible > to accomplish this on a per-router level, but being able to have the > devices communicate and share information between one another is a > completely separate thing. (New protocol perhaps.) > > The only real method that I really have in my toolkit to stop incoming > DDoS on a AS-wide perspective is originating a /32 within an AS with a > next-hop of a discard interface. > > Something similar to that nature but more flexible and designed for the > sole purpose of preventing/stopping abuse would be a very nice feature. > > Cheers. > -Michael > > -- > Michael Nicks > Network Engineer > KanREN > e: [EMAIL PROTECTED] > o: +1-785-856-9800 x221 > m: +1-913-378-6516 > > Payam Tarverdyan Chychi wrote: >> Ive been reading on this subject for the last several weeks and it >> seems >> as if everyone just like to come up with out of the box ideas that are >> not realistic for todays network environments >> J.Oquendo, thanks for the Smurf example as there are still >> admins/engineers at large networks that have no clue as to what they >> are doing so QoS is for sure out of the question.. at least at this >> time. >> >> Depending on agents to take actions and protecting our networks is even >> a >> bigger joke. Back in late 90s where kiddies were using the simplest >> types >> of C&C, open wide irc networks with visible Channels and no encryptions >> and agents couldnt do anything unless the attack was big enough to take >> down Amazon, yahoo, Microsoft or some other major provider with enough >> $$$ >> to start an investigation. >> >> So what makes you think that agents are of any help in todays world >> where >> c&c have gotten so much more sophisticated, use backup private servers, >> encryption, tunneling and much much more.. >> >> In my opinion, the only way to really start cracking down on c&c and put >> an end to it is the cooperation of major ISPs. I realize that most >> isps >> cant/wont setup a security team to just investigate c&c / attacks (would >> this really fall under the Abuse team?) but perhaps If all major >> networks >> worked together and created a active db list of c&c found either on >> their >> networks or attacking ones network then it would be much much easier to >> trace back c&c and dispose of them. >> >> Unfortunately, we dont live in a perfect world and most isps hate >> sharing any information I guess its better for them to have a bigger >> ego >> than a safer / more stable network >> >> Please feel free to correct me if I am wrong >> >> -Payam > -- -- Payam Tarverdyan Chychi Network Analyst
Re: i am not a list moderator, but i do have a request
Paul Vixie wrote: which is, please move these threads to a non-SP mailing list. R [ 41: Danny McPherson ] Re: mitigating botnet C&Cs has become useless R [ 22: "Laurence F. Sheldon] R < 45: Danny McPherson > R [ 62: "Laurence F. Sheldon] R [ 162: "J. Oquendo"] Re: [Full-disclosure] what can be done with botnet C&C's? R < 211: "Payam Tarverdyan Ch> R [ 66: Michael Nicks ] i already apologized to the moderators for participating in a non-ops thread here. there are plenty of mailing lists for which botnets are on-topic. nanog is not one and should not become one. nanog has other useful purposes. We have already enough botnets DoSsing the net. We dont need nondisclosed botlists DoSsing this forum. We both agree Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
nanog@merit.edu
On Sun, 13 Aug 2006, Michael Nicks wrote: > attack, and mitigate/stop the traffic. I think it certainly is possible > to accomplish this on a per-router level, but being able to have the > devices communicate and share information between one another is a > completely separate thing. (New protocol perhaps.) reference TIDP ... which is like (sort of) Flow-Spec, only not piggybacked upon BGP and with possibly some extra functionality wrt 'doing the right thing' on each platform in question. Also, TIDP doesn't have to be tied to a device that runs a routing protocol... > > The only real method that I really have in my toolkit to stop incoming > DDoS on a AS-wide perspective is originating a /32 within an AS with a > next-hop of a discard interface. reference TIDP and FlowSpec (if you have 'discard interface' you already have flow-spec)
Re: i am not a list moderator, but i do have a request
> > which is, please move these threads to a non-SP mailing list. > > R [ 41: Danny McPherson ] Re: mitigating botnet C&Cs has become > useless > R [ 22: "Laurence F. Sheldon] > R < 45: Danny McPherson > > R [ 62: "Laurence F. Sheldon] > R [ 162: "J. Oquendo"] Re: [Full-disclosure] what can be done > with botnet C&C's? > R < 211: "Payam Tarverdyan Ch> > R [ 66: Michael Nicks ] > > i already apologized to the moderators for participating in a non-ops > thread > here. there are plenty of mailing lists for which botnets are on-topic. > nanog is not one and should not become one. nanog has other useful > purposes. > -- > Paul Vixie > I second that emotion. Chris Jester Suavemente, INC. SplitInfinity Networks 619-227-8845 AIM: NJesterIII ICQ: 64791506 NOTICE - This e-mail and any files transmitted with it are confidential and are only for the use of the person to whom they are addressed. If you are not the intended recipient you have received this e-mail in error. Any use, dissemination, forwarding, printing, copying or dealing in any way whatsoever with this e-mail is strictly prohibited. If you have received this e-mail in error, please reply immediately by way of advice to us. It is the addressee/recipient duty to virus scan and otherwise test the information provided before loading onto any computer system. Suavemente, INC. does not warrant that the information is free of a virus or any other defect or error. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Suavemente, INC.
i am not a list moderator, but i do have a request
which is, please move these threads to a non-SP mailing list. R [ 41: Danny McPherson ] Re: mitigating botnet C&Cs has become useless R [ 22: "Laurence F. Sheldon] R < 45: Danny McPherson > R [ 62: "Laurence F. Sheldon] R [ 162: "J. Oquendo"] Re: [Full-disclosure] what can be done with botnet C&C's? R < 211: "Payam Tarverdyan Ch> R [ 66: Michael Nicks ] i already apologized to the moderators for participating in a non-ops thread here. there are plenty of mailing lists for which botnets are on-topic. nanog is not one and should not become one. nanog has other useful purposes. -- Paul Vixie
nanog@merit.edu
I hate to stir the flames again, but this idea sounds a lot like RBLs. :) All kidding aside, I'm curious as to when we will reach the point where the devices of our networks will be able to share information regarding sporadic bursts or predefined traffic patterns in network traffic within a certain time frame, determine it is a related outgoing (or incoming) attack, and mitigate/stop the traffic. I think it certainly is possible to accomplish this on a per-router level, but being able to have the devices communicate and share information between one another is a completely separate thing. (New protocol perhaps.) The only real method that I really have in my toolkit to stop incoming DDoS on a AS-wide perspective is originating a /32 within an AS with a next-hop of a discard interface. Something similar to that nature but more flexible and designed for the sole purpose of preventing/stopping abuse would be a very nice feature. Cheers. -Michael -- Michael Nicks Network Engineer KanREN e: [EMAIL PROTECTED] o: +1-785-856-9800 x221 m: +1-913-378-6516 Payam Tarverdyan Chychi wrote: I’ve been reading on this subject for the last several weeks and it seems as if everyone just like to come up with out of the box ideas that are not realistic for today’s network environments J.Oquendo, thanks for the Smurf example … as there are still admins/engineers at large networks that have no clue as to what they are doing… so QoS is for sure out of the question.. at least at this time. Depending on agents to take actions and protecting our networks is even a bigger joke. Back in late 90s where kiddies were using the simplest types of C&C, open wide irc networks with visible Channels and no encryptions… and agents couldn’t do anything unless the attack was big enough to take down Amazon, yahoo, Microsoft or some other major provider with enough $$$ to start an investigation. So what makes you think that agents are of any help in today’s world where c&c have gotten so much more sophisticated, use backup private servers, encryption, tunneling and much much more.. In my opinion, the only way to really start cracking down on c&c and put an end to it is the cooperation of major ISP’s. I realize that most isp’s cant/wont setup a security team to just investigate c&c / attacks (would this really fall under the Abuse team?) but perhaps If all major networks worked together and created a active db list of c&c found either on their networks or attacking ones network… then it would be much much easier to trace back c&c and dispose of them. Unfortunately, we don’t live in a perfect world and most isp’s hate sharing any information… I guess its better for them to have a bigger ego than a safer / more stable network… Please feel free to correct me if I am wrong… -Payam
Re: mitigating botnet C&Cs has become useless
Danny McPherson wrote: On Aug 13, 2006, at 8:35 AM, Laurence F. Sheldon, Jr. wrote: Danny McPherson wrote: As importantly, broadband SPs are trying to move to triple (quad) play services, how tolerant do you think your average subscriber is to losing cable television services because their kid downloaded some malware? At least one of us would applaud an effort to hold people accountable for what they and their kids do. Oops, I see how you could spin it that way... Let me spin it back.. What if the malware your kid's PC (or better yet, your PC) was just infected with came through a virus received in email for which no fix was currently available and the resident AV solution was unaware? Sorry you weren't able to get the spin you wanted, but I still think that if people want to use email readers that execute the messages instead of displaying them in plain text without seizure inducing jiggles, without root kits, without all the rest of the malware spectrum they ought to be held accountable for that action. Their choice, let them pay for it. Now you can't watch the game tonight, or your favorite show, or use skype to chat with your daughter in Europe, or check your email, [or call 911?] all because the malware triggered something on the network side that resulted in you being "walled gardened"? If it is my house, it won't happen twice, I betcha. And if you want to sell a service that allows misbehaviour without penalty to your misbehaving customers, more power to you. But don't make _ME_ pay for it. My position here is aligned with Sean's and Arjan's. IF you were able to offer any such "walled-garden" services it's not simply a binary thing, there's a large array of variables that need to be accounted for technically - entirely independent of the economic ones surrounding services that are hardly profitable already. I believe there exists a significant opportunity here for such value- adds for broadband and other services alike, but it's at least initially going to be a rather complicated one. This morning's Omaha Weird Harold has a front-page item about the City installing free wiffy hotspots around town. It may be time for you to reconsider the options on the buggy-whip plant. -- Requiescas in pace o email Ex turpi causa non oritur actio http://members.cox.net/larrysheldon/
nanog@merit.edu
Ive been reading on this subject for the last several weeks and it seems as if everyone just like to come up with out of the box ideas that are not realistic for todays network environments >> J.Oquendo, thanks for the Smurf example as there are still admins/engineers at large networks that have no clue as to what they are doing so QoS is for sure out of the question.. at least at this time. Depending on agents to take actions and protecting our networks is even a bigger joke. Back in late 90s where kiddies were using the simplest types of C&C, open wide irc networks with visible Channels and no encryptions and agents couldnt do anything unless the attack was big enough to take down Amazon, yahoo, Microsoft or some other major provider with enough $$$ to start an investigation. So what makes you think that agents are of any help in todays world where c&c have gotten so much more sophisticated, use backup private servers, encryption, tunneling and much much more.. In my opinion, the only way to really start cracking down on c&c and put an end to it is the cooperation of major ISPs. I realize that most isps cant/wont setup a security team to just investigate c&c / attacks (would this really fall under the Abuse team?) but perhaps If all major networks worked together and created a active db list of c&c found either on their networks or attacking ones network then it would be much much easier to trace back c&c and dispose of them. Unfortunately, we dont live in a perfect world and most isps hate sharing any information I guess its better for them to have a bigger ego than a safer / more stable network Please feel free to correct me if I am wrong -Payam > >> Subject: what can be done with botnet C&C's? > > >> "I work on this [C&C] for 30 days, only to find out one of you took it >> down." -- US Federal Agent, two days ago, ISOI (DA Workshop). > > Oddly agents have resources right in front of them to assist them > (CALEA, and other totalitarian laws) and yet they fail to use > these resources properly only optioning to promote newer and even > more stupider laws. > >> And still, sticking to networking issues, as obviously we cannot yet >> depend on law enforcement to protect our networks for us, how do we >> handle >> C&C's? > > Where in the rule book does it state that LEA's are here to protect > any network. I say it begins with the CSO's, managers, engineers (both > network and security engineers.) Bear in mind cross juridstiction > across international boundaries. > > >> When we kill them (and by "kill" I naturally mean "report our suspicion >> to the responsible authority so they can investigate, confirm and >> proceed >> according to their AUP") we kill them, but only to our knowledge. They >> immediately move elsewhere we do not know about in our space or someone >> else's, maybe misplacing an extremely smallish percentage of their >> population while they are at it. > > Let's be realistic about this. Most providers in the US at least have > some form of CALEA capabilities which can monitor what is coming from > where in order to filter networks. > >> Okay, say I am right... What *can* we do? > > Re-write AUP's from the ISP level blocking out and allowing out on a > needed basis. For those BOTNETS utilizing IRC, they'll be nipped at > the bud, for those in these networks truly utilizing IRC and other > similar venues, an ISP could either set up their own server and link > to other servers, or the IRC user themselves are almost always > smart enough to figure out how to jump on an IRC server. > >> We can take advantage: >> 1. QoS and traffic limiting tools. >> Many tools created in recent years, and used exstensively by many ISP's, >> regardless of any Net Neutrality legislation, are at our disposal and >> already implemented on our networks. > > QoS is a joke. The problem with QoS is a configuration issue. How many > networks are still allowing broadcasts (Smurf). What makes one think > that if they can't configure simple RFC filtering and containment of > broadcast, they'd be able/capable/willing to configure QoS. Outside of > this, the biggest argument will be a "not in my backyard" issue of > "why are you filtering our traffic." > >> Much like, for business reasons, many of us would limit P2P, how about >> limiting the traffic to compromised users? > >> How, what and when is up to you. > > Laziness. Come on now, and by the way greeting Gadi, you should know > offhand the slack that comes from lazy admins unwilling to do squat > but read this in the background and continue eating ho-ho's and > donuts. > >> Watch the flows, block the users from communicating out to them. Watch >> these users and see where else they are communicating in comparison to >> other users, en-masse. > > Breaking laws here if you ask me. Watching flows. Isn't this an illegal > wiretap. > >> 4. Stop internal network infections. It is unbelievable how the networks >> with the most bots are the networks t
nanog@merit.edu
> Subject: what can be done with botnet C&C's? > "I work on this [C&C] for 30 days, only to find out one of you took it > down." -- US Federal Agent, two days ago, ISOI (DA Workshop). Oddly agents have resources right in front of them to assist them (CALEA, and other totalitarian laws) and yet they fail to use these resources properly only optioning to promote newer and even more stupider laws. > And still, sticking to networking issues, as obviously we cannot yet > depend on law enforcement to protect our networks for us, how do we handle > C&C's? Where in the rule book does it state that LEA's are here to protect any network. I say it begins with the CSO's, managers, engineers (both network and security engineers.) Bear in mind cross juridstiction across international boundaries. > When we kill them (and by "kill" I naturally mean "report our suspicion > to the responsible authority so they can investigate, confirm and proceed > according to their AUP") we kill them, but only to our knowledge. They > immediately move elsewhere we do not know about in our space or someone > else's, maybe misplacing an extremely smallish percentage of their > population while they are at it. Let's be realistic about this. Most providers in the US at least have some form of CALEA capabilities which can monitor what is coming from where in order to filter networks. > Okay, say I am right... What *can* we do? Re-write AUP's from the ISP level blocking out and allowing out on a needed basis. For those BOTNETS utilizing IRC, they'll be nipped at the bud, for those in these networks truly utilizing IRC and other similar venues, an ISP could either set up their own server and link to other servers, or the IRC user themselves are almost always smart enough to figure out how to jump on an IRC server. > We can take advantage: > 1. QoS and traffic limiting tools. > Many tools created in recent years, and used exstensively by many ISP's, > regardless of any Net Neutrality legislation, are at our disposal and > already implemented on our networks. QoS is a joke. The problem with QoS is a configuration issue. How many networks are still allowing broadcasts (Smurf). What makes one think that if they can't configure simple RFC filtering and containment of broadcast, they'd be able/capable/willing to configure QoS. Outside of this, the biggest argument will be a "not in my backyard" issue of "why are you filtering our traffic." > Much like, for business reasons, many of us would limit P2P, how about > limiting the traffic to compromised users? > How, what and when is up to you. Laziness. Come on now, and by the way greeting Gadi, you should know offhand the slack that comes from lazy admins unwilling to do squat but read this in the background and continue eating ho-ho's and donuts. > Watch the flows, block the users from communicating out to them. Watch > these users and see where else they are communicating in comparison to > other users, en-masse. Breaking laws here if you ask me. Watching flows. Isn't this an illegal wiretap. > 4. Stop internal network infections. It is unbelievable how the networks > with the most bots are the networks that allow internal users to connect > wherever they want within the network. Re-read my lazy admin donut syndrome. > My answer is this, if you fail to remove a spy, as another would just take > his place, wouldn't you rather know where that spy is and work to take > him down for good? One thing that will end up happening as is evident is, you will end up creating a smarter and smarter botnet. Filter from here, they move, filter this port, they jump. Most network admins know how to entirely block these things but they don't. How about a completely new approach via AUP. "Welcome to Foofoo Network's your ISP. We allow SMTP, HTTP, HTTPS, IM." Period. No need to keep the other 65531 ports open. > Do you know who your local fed is? Definitely not on Clue Avenue. If they were there would be no need to try and impose LawB atop LawA which never worked in the first place. > I would like to hear some opinions on what networks can do, ecnomically, > from people here. Please stick to network operations issues. >Gadi. Here is my opinion... Responsibility on both ends. For the user and the provider. The One-Two punch 1) For an ISP something like Campus Manager would work wonders (http://www.bradfordnetworks.com/products/security.html). Configured in the background it can take machines and shove them into a non useable VLAN until they get their act together. 2) Client breaching Terms of Service agreements? Hold them accountable. Users are responsible for their own machines: UserA buys a gun and keeps it in his house. UserA does not buy a safe or take necessary precautions to safeguard his gun. LuzerB uses that gun for a crime. LuzerC (UserA's son or daughter brings it to show and tell) LuzerD (UserA's neighbor blows his brain out via Russian Roulette) In all of these in
Re: mitigating botnet C&Cs has become useless
On Aug 13, 2006, at 8:35 AM, Laurence F. Sheldon, Jr. wrote: Danny McPherson wrote: As importantly, broadband SPs are trying to move to triple (quad) play services, how tolerant do you think your average subscriber is to losing cable television services because their kid downloaded some malware? At least one of us would applaud an effort to hold people accountable for what they and their kids do. Oops, I see how you could spin it that way... Let me spin it back.. What if the malware your kid's PC (or better yet, your PC) was just infected with came through a virus received in email for which no fix was currently available and the resident AV solution was unaware? Now you can't watch the game tonight, or your favorite show, or use skype to chat with your daughter in Europe, or check your email, [or call 911?] all because the malware triggered something on the network side that resulted in you being "walled gardened"? My position here is aligned with Sean's and Arjan's. IF you were able to offer any such "walled-garden" services it's not simply a binary thing, there's a large array of variables that need to be accounted for technically - entirely independent of the economic ones surrounding services that are hardly profitable already. I believe there exists a significant opportunity here for such value- adds for broadband and other services alike, but it's at least initially going to be a rather complicated one. -danny
Re: mitigating botnet C&Cs has become useless
Danny McPherson wrote: As importantly, broadband SPs are trying to move to triple (quad) play services, how tolerant do you think your average subscriber is to losing cable television services because their kid downloaded some malware? At least one of us would applaud an effort to hold people accountable for what they and their kids do. There _is_ precedent/ Any old 'phone folk around that can tell us about an "NPD for high toll"? -- Requiescas in pace o email Ex turpi causa non oritur actio http://members.cox.net/larrysheldon/
Re: mitigating botnet C&Cs has become useless
On Aug 9, 2006, at 4:04 AM, Arjan Hulsebos wrote: Maybe so, but that argument doesn't buy me more helpdesk folks. The same holds true for the bandwidth argument, especially now that bandwidth is dirt cheap. On the other hand, it shouldn't be too difficult to come up with a walled garden profile for subs that have infected PCs, basically allowing only access to a filtering proxy, so these subs can download their patches and antivirus updates through it. In addition to "they still need to be able to download patches and attempt to fix their system" you may not be able to shut off all services for the subscriber regardless - e.g., they've got voice services and you're killing their emergency dialing capabilities? As importantly, broadband SPs are trying to move to triple (quad) play services, how tolerant do you think your average subscriber is to losing cable television services because their kid downloaded some malware? Minimizing subscriber churn and targeting profitable services are critical, most of these solutions today only make the problem worse - when something breaks with vanilla Internet access the first person the subscriber calls is the SP, and the resources cost for fielding those calls exceeds even that of the amortized capital costs for the service - tearing deeper into losses. I half believe that Net Neutrality itself wouldn't be an issue if operators were able to run profitable businesses in broadband service markets. Adding security to the mix only compounds the problem. -danny
