Re: Death of the Internet, Film at 11
From: Mike Hammett <nanog@ics-il.net> "taken all necessary steps to insure that none of the numerous specific types of CCVT thingies that Krebs and others identified"
Serious question... how?
Well their addresses are now known so one way would be for each ISP to drop traffic from them. If people don't fix them why should these devices stay on the net? If say Comcast has a million of them it might be tricky to scale but not impossible It'd take a bit of effort and care to aggregate and disseminate the data to each responsible AS, there'd be risk of bad guys getting the data and false positives/people spoofing to attack others. They'd also be building a tool that some might try to hijack for other purposes. None of that is an excuse to do nothing as is usually the result with any suggested measure that involves doing work to fix a problem I know ISPs generaly don't want the support calls but they'll end up with them and a legislative burden with commerial liability if they don't sort it out themselves. brandon
"their" Whose addresses are known and who are they known to? I certainly don't know the addresses of anyone involved. Some work can produce Dyn allocations, I suppose. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "Brandon Butterworth" <brandon@rd.bbc.co.uk> To: nanog@ics-il.net Cc: nanog@nanog.org Sent: Saturday, October 22, 2016 9:22:55 AM Subject: Re: Death of the Internet, Film at 11
From: Mike Hammett <nanog@ics-il.net> "taken all necessary steps to insure that none of the numerous specific types of CCVT thingies that Krebs and others identified"
Serious question... how?
Well their addresses are now known so one way would be for each ISP to drop traffic from them. If people don't fix them why should these devices stay on the net? If say Comcast has a million of them it might be tricky to scale but not impossible It'd take a bit of effort and care to aggregate and disseminate the data to each responsible AS, there'd be risk of bad guys getting the data and false positives/people spoofing to attack others. They'd also be building a tool that some might try to hijack for other purposes. None of that is an excuse to do nothing as is usually the result with any suggested measure that involves doing work to fix a problem I know ISPs generaly don't want the support calls but they'll end up with them and a legislative burden with commerial liability if they don't sort it out themselves. brandon
On Sat, Oct 22, 2016 at 03:22:55PM +0100, Brandon Butterworth wrote:
Well their addresses are now known so one way would be for each ISP to drop traffic from them. If people don't fix them why should these devices stay on the net?
Bingo. The manufacturer of these decided to build them as cheaply as possible in order to maximize profit. They neglected even rudimentary security and maintenance/update measures. Because they could. Because they chose to. They thus shifted the burden, and thus the cost, of running them in a secure fashion onto us. Yesterday everyone paid that cost. It's time to shift the cost back. Drop all their traffic and when the support calls come, tell them that they bought a known-defective device which is an operational hazard to the network, and refer them to the manufacturer for replacement/repair/refund. Note: every other vendor out there who might be tempted to cut corners is no doubt watching this and trying to gauge whether they can do the same. ---rsk
participants (3)
-
Brandon Butterworth -
Mike Hammett -
Rich Kulawiec