....or when I initiate offsite backups. I've seen ISPs that react to just traffic bursts. It's not the way to go without more intelligent decision making on the content (i.e. SMTP, all SYNs, etc). Of course, content inspection is a whole 'nother hornet's nest :) - S -----Original Message----- From: Lee <ler762@gmail.com> Sent: Friday, October 09, 2009 19:41 To: nanog@nanog.org <nanog@nanog.org> Subject: Re: Dutch ISPs to collaborate and take responsibility On 10/9/09, Rich Kulawiec <rsk@gsp.org> wrote:
On Wed, Oct 07, 2009 at 06:25:53AM -0700, Owen DeLong wrote:
Additionally the problems of DDOS sourced from a collection of compromised hosts could be interfering with someone else's ability to make a successful VOIP call.
Much more than that: they could be interfering with the underlying infrastructure, or they could be attacking the VOIP destination, or they could be making fake VOIP calls (see below), or they could be doing ANYTHING. A compromised system is enemy territory, which is why:
This blocking should be as narrow as possible.
Blocking should be total. A compromised system is as much enemy-controlled as if it were physically located at the RBN. Trying to figure out which of externally-visible behaviors A, B, C, etc. it exhibits might be malicious and which might not be is a loss,
If an ISP is involved with tracking down DDOS participants or something, I can understand how they'd know a system was compromised. But any kind of blocking because the ISP sees 'anomalous' traffic seems .. premature at best. SANS newsbites has this bit: On Thursday, October 8, Comcast began testing a service that alerts its broadband subscribers with pop-ups if their computers appear to be infected with malware. Among the indicative behaviors that trigger alerts are spikes in overnight traffic, suggesting the machine has been compromised and is being used to send spam. When my son comes home from college, there's a huge spike in overnight traffic from my house. With all the people advocating immediate blocking of pwned systems in this thread, I'm wondering what their criteria is for deciding that the system is compromised & should be blocked. Lee