On Wed, Oct 07, 2009 at 06:25:53AM -0700, Owen DeLong wrote:
Additionally the problems of DDOS sourced from a collection of compromised hosts could be interfering with someone else's ability to make a successful VOIP call.
Much more than that: they could be interfering with the underlying infrastructure, or they could be attacking the VOIP destination, or they could be making fake VOIP calls (see below), or they could be doing ANYTHING. A compromised system is enemy territory, which is why:
This blocking should be as narrow as possible.
Blocking should be total. A compromised system is as much enemy-controlled as if it were physically located at the RBN. Trying to figure out which of externally-visible behaviors A, B, C, etc. it exhibits might be malicious and which might not be is a loss, doubly so given that many of the attacks launched by such systems are of a distributed nature and thus are very difficult to infer solely by observation of one system. Moreover, there is no way to know, given a current observation of behavior A, whether or not behavior B will begin, when it will begin, or what it will be. For example, there's no way to know that a supposed VOIP call to 911 from that system is actually being made by a human being. It's certainly well within the capabilities of malware to place such a call -- and abuses of 911 in efforts to misdirect authorities are well-known. (See "swatting". And note that nothing stops a botnet equipped with appropriate s/w from launching a number of such calls in sequence, with what I think are predictable consequences.) The bottom line is that once a system is compromised, all bets are off. Nothing it does can be trusted by anyone: not its *former* owners, not the network operator, not anyone in receipt of its traffic. So the only logical course of action is to cut it off completely, as quickly as possible, and keep it that way until it's properly fixed. (Which of course involves booting from known-clean media, restoring apps from known-clean sources, scanning all user data, etc. Booting from known-infected media is an obvious and immediate fail.) ---Rsk