Re: botnets: web servers, end-systems and Vint Cerf
michael.dillon@bt.com wrote:
You misunderstand. The problem of securing machines *IS* solved. It is possible. It is regularly done with servers connected to the Internet. There is no *COMPUTING* problem or technical problem. The problem of the 100 million machines is a social or business problem. We know how they can be secured, but the solution is not being implemented.
--Michael Dillon
After all these years, I'm still surprised a consortium of ISP's haven't figured out a way to do something a-la Packet Fence for their clients where - whenever an infected machine is detected after logging in, that machine is thrown into say a VLAN with instructions on how to clean their machines before they're allowed to go further and stay online. If you ask me, traffic providers (NSP's/NAP's) and ISP's don't mind this garbage coming out of their networks, if they did they'd actually ban together and do something about it. Its obvious those charging for traffic will say little. Minimized traffic means minimized revenue. All I see is "No we despise that kind of traffic" along with a shrug and nothing being done about it. I'm sure if some legislative body somewhere started levying fines against providers, the net would be a cleaner place. For comments on 100 million infected machines... Doubtable. Anyone can play fuzzy math games, heck I just strangely figured out that MS is costing me an arm and a leg! http://www.merit.edu/mail.archives/nanog/msg04755.html -- ==================================================== J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams
On Fri, 16 Feb 2007, J. Oquendo wrote:
After all these years, I'm still surprised a consortium of ISP's haven't figured out a way to do something a-la Packet Fence for their clients where - whenever an infected machine is detected after logging in, that machine is thrown into say a VLAN with instructions on how to clean their machines before they're allowed to go further and stay online.
All very nice. This sort of things has been detailed a few dozen times by various people. Doing this is not hard from a technical point of view (which isn't to say it won't cost a lot of money to impliment). The hard bit is creating a business case to show how spending the money to impliment it and then wearing the cost of pissed off customers results in a net gain to the bottom line. If someone could actually do a survey to show how much each bot infested customer is costing their ISP then people might be able to do something. Right now AFAIK an extra 10,000 botted customers costs the average ISP no more than a dozen heavy p2p users. On the other hand Port 25 filtering probably is something that has low enough negatives vs the positives for people to actually do. -- Simon J. Lyall | Very Busy | Web: http://www.darkmere.gen.nz/ "To stay awake all night adds a day to your life" - Stilgar | eMT.
On Fri, 16 Feb 2007, J. Oquendo wrote:
michael.dillon@bt.com wrote:
You misunderstand. The problem of securing machines *IS* solved. It is possible. It is regularly done with servers connected to the Internet. There is no *COMPUTING* problem or technical problem. The problem of the 100 million machines is a social or business problem. We know how they can be secured, but the solution is not being implemented.
--Michael Dillon
After all these years, I'm still surprised a consortium of ISP's haven't figured out a way to do something a-la Packet Fence for their clients
A walled garden? Surprisingly, despite little faith on NANOG, quite a few ISPs are now employing these technologies and saving money. Gadi.
where - whenever an infected machine is detected after logging in, that machine is thrown into say a VLAN with instructions on how to clean their machines before they're allowed to go further and stay online. If you ask me, traffic providers (NSP's/NAP's) and ISP's don't mind this garbage coming out of their networks, if they did they'd actually ban together and do something about it. Its obvious those charging for traffic will say little. Minimized traffic means minimized revenue. All I see is "No we despise that kind of traffic" along with a shrug and nothing being done about it. I'm sure if some legislative body somewhere started levying fines against providers, the net would be a cleaner place. For comments on 100 million infected machines... Doubtable. Anyone can play fuzzy math games, heck I just strangely figured out that MS is costing me an arm and a leg! http://www.merit.edu/mail.archives/nanog/msg04755.html
-- ==================================================== J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams
J. Oquendo wrote:
After all these years, I'm still surprised a consortium of ISP's haven't figured out a way to do something a-la Packet Fence for their clients where - whenever an infected machine is detected after logging in, that machine is thrown into say a VLAN with instructions on how to clean their machines before they're allowed to go further and stay online.
This has been commercially available for quite some time so it would be only up to the providers to implement it. Pete
On Sat, 17 Feb 2007, Petri Helenius wrote:
After all these years, I'm still surprised a consortium of ISP's haven't figured out a way to do something a-la Packet Fence for their clients where - whenever an infected machine is detected after logging in, that machine is thrown into say a VLAN with instructions on how to clean their machines before they're allowed to go further and stay online. This has been commercially available for quite some time so it would be only up to the providers to implement it.
Public ISPs have been testing these types of systems for over 5 years. What sorts of differences can you think of that would explain why public ISPs have found them not very effective? Public ISPs have been using walled gardens for a long time for user registration and collecting credit card information. So they know how to implement walled gardens. But what happens when public ISPs use it for infected machines?
On Sat, 17 Feb 2007, Sean Donelan wrote:
On Sat, 17 Feb 2007, Petri Helenius wrote:
After all these years, I'm still surprised a consortium of ISP's haven't figured out a way to do something a-la Packet Fence for their clients where - whenever an infected machine is detected after logging in, that machine is thrown into say a VLAN with instructions on how to clean their machines before they're allowed to go further and stay online. This has been commercially available for quite some time so it would be only up to the providers to implement it.
Public ISPs have been testing these types of systems for over 5 years. What sorts of differences can you think of that would explain why public ISPs have found them not very effective?
Public ISPs have been using walled gardens for a long time for user registration and collecting credit card information. So they know how to implement walled gardens. But what happens when public ISPs use it for infected machines?
Many already do, successfully. When I say many I actually mean I know of 6. 3 of them huge, 3 of them relatively small.
On Sat, 17 Feb 2007, Gadi Evron wrote:
Public ISPs have been testing these types of systems for over 5 years. What sorts of differences can you think of that would explain why public ISPs have found them not very effective?
Public ISPs have been using walled gardens for a long time for user registration and collecting credit card information. So they know how to implement walled gardens. But what happens when public ISPs use it for infected machines?
Many already do, successfully.
When I say many I actually mean I know of 6. 3 of them huge, 3 of them relatively small.
Interesting use of the word "many." Many people use Multics. I know of "many" more that have tested it and returned it to various vendors. There are several tough problems people are still trying to solve.
On Sat, 17 Feb 2007, Sean Donelan wrote:
On Sat, 17 Feb 2007, Gadi Evron wrote:
Public ISPs have been testing these types of systems for over 5 years. What sorts of differences can you think of that would explain why public ISPs have found them not very effective?
Public ISPs have been using walled gardens for a long time for user registration and collecting credit card information. So they know how to implement walled gardens. But what happens when public ISPs use it for infected machines?
Many already do, successfully.
When I say many I actually mean I know of 6. 3 of them huge, 3 of them relatively small.
Interesting use of the word "many." Many people use Multics.
:))
I know of "many" more that have tested it and returned it to various vendors. There are several tough problems people are still trying to solve.
Yes, but that is because the successful ISPs currently often implement their own if they have the resources and R&D power. The really big ones have it automated, the small ones have it limited to be "activated by an abuse desk person". Gadi.
On Sat, 17 Feb 2007, Gadi Evron wrote:
Yes, but that is because the successful ISPs currently often implement their own if they have the resources and R&D power. The really big ones have it automated, the small ones have it limited to be "activated by an abuse desk person".
And I also know "many" ISPs that developed home-grown systems and had to abandoned them due to various problems. Until you understand the differences and why various attempts haven't worked, you are doomed to repeat the same mistakes; and unlikely to be successfull beyond a few limited environments. Is there a significant difference between the "many" ISPs implementing walled gardens and other ISPs as far as infection rates?
On Sat, 17 Feb 2007, Sean Donelan wrote:
On Sat, 17 Feb 2007, Gadi Evron wrote:
Yes, but that is because the successful ISPs currently often implement their own if they have the resources and R&D power. The really big ones have it automated, the small ones have it limited to be "activated by an abuse desk person".
And I also know "many" ISPs that developed home-grown systems and had to abandoned them due to various problems.
Until you understand the differences and why various attempts haven't worked, you are doomed to repeat the same mistakes; and unlikely to be successfull beyond a few limited environments.
Agreed. Do you have any of these lessons you can share?
Is there a significant difference between the "many" ISPs implementing walled gardens and other ISPs as far as infection rates?
Yes.
On Sat, 17 Feb 2007, Gadi Evron wrote:
Is there a significant difference between the "many" ISPs implementing walled gardens and other ISPs as far as infection rates?
Yes.
Then please share, many people would love to have that data.
On Sat, 17 Feb 2007, Sean Donelan wrote:
On Sat, 17 Feb 2007, Gadi Evron wrote:
Is there a significant difference between the "many" ISPs implementing walled gardens and other ISPs as far as infection rates?
Yes.
Then please share, many people would love to have that data.
Same goes for you with the sentence you removed above. :) I am working on this, and hopefully will have something in a few months which can be measurable rather than jokes about "many".
On Sat, 17 Feb 2007, Gadi Evron wrote:
On Sat, 17 Feb 2007, Sean Donelan wrote:
On Sat, 17 Feb 2007, Gadi Evron wrote:
Is there a significant difference between the "many" ISPs implementing walled gardens and other ISPs as far as infection rates?
Yes.
Then please share, many people would love to have that data.
Same goes for you with the sentence you removed above. :)
I have, many times over the last 5 years. Doing research is an amazing thing.
I am working on this, and hopefully will have something in a few months which can be measurable rather than jokes about "many".
Many people will be waiting for your data.
On Feb 17, 2007, at 6:42 PM, Sean Donelan wrote:
Is there a significant difference between the "many" ISPs implementing walled gardens and other ISPs as far as infection rates?
One might presuppose infection rates are exactly the same, at least until that ISPs user base upgrades, patches, auto-updates, AVs, anti-spywares, whatever.. or finds a new ISP. I wonder how long it'd take for such a policy institution to impact an entire 100% user base? I'd likewise be quite keen on seeing empirical evidence on trends in cleanliness and/or churn from any of those ISPs in question, the 3 "huge" ones in particular - any of those folks *NOG-types? Likely my last message on this tread, as I foresee the "OT curmudgeon" mounting up (hint to them: "delete"). -danny
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sean Donelan wrote:
On Sat, 17 Feb 2007, Petri Helenius wrote:
After all these years, I'm still surprised a consortium of ISP's haven't figured out a way to do something a-la Packet Fence for their clients where - whenever an infected machine is detected after logging in, that machine is thrown into say a VLAN with instructions on how to clean their machines before they're allowed to go further and stay online. This has been commercially available for quite some time so it would be only up to the providers to implement it.
Public ISPs have been testing these types of systems for over 5 years. What sorts of differences can you think of that would explain why public ISPs have found them not very effective?
Public ISPs have been using walled gardens for a long time for user registration and collecting credit card information. So they know how to implement walled gardens. But what happens when public ISPs use it for infected machines?
- --------------------------------- I believe aol (maybe Vijay) once talked about the very same sink hole technique they use within they networks to fight bad traffic. Not sure which nanog? Anyone? regards, /virendra -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF16OjpbZvCIJx1bcRAtxOAJ9hdmWyy8RFecqblYyk96YnQbk1RQCfRt2d v50wxR0dMbwWVZqFYWnhCCk= =caLg -----END PGP SIGNATURE-----
On Feb 16, 2007, at 11:41 AM, J. Oquendo wrote:
After all these years, I'm still surprised a consortium of ISP's haven't figured out a way to do something a-la Packet Fence for their clients where - whenever an infected machine is detected after logging in, that machine is thrown into say a VLAN with instructions on how to clean their machines before they're allowed to go further and stay online.
"Umm, Mam, I'm sorry, but before you make that emergency call we'll need to go to www.update.nnn and update the OS on your machine, seems you've got some malware there at home somewhere and you're going to need to take care of it for me, OK?" "Sir, before you can continue watching the World Cup or Super Bowl you'll need to remove the spyware from your son's PC."
If you ask me, traffic providers (NSP's/NAP's) and ISP's don't mind this garbage coming out of their networks, if they did they'd actually ban together and do something about it.
Its obvious those charging for traffic will say little. Minimized traffic means minimized revenue.
IIRC, most North America providers have fixed-rate broadband subscriber plans.
All I see is "No we despise that kind of traffic" along with a shrug and nothing being done about it. I'm sure if some legislative body somewhere started levying fines against providers, the net would be a cleaner place. For comments on 100 million infected machines... Doubtable. Anyone can play fuzzy math games, heck I just strangely figured out that MS is costing me an arm and a leg!
While I understand your frustration, lest we not forget, providers are in the business of making money, and solutions of this type today only add to churn, additional operational expense and liability. It's not quite so black and white as you make it, unfortunately. With that, as Sean points out, providers are trying to address the issues in an business-savvy manner and some do seem to have reasonable (IMO) solutions underway. But be careful what you ask for, some of these solutions you're mandating might very well resemble SiteFinder-style schema's (or far worse) in order to justify the investment by the providers. -danny
participants (7)
-
Danny McPherson
-
Gadi Evron
-
J. Oquendo
-
Petri Helenius
-
Sean Donelan
-
Simon Lyall
-
virendra rode //