ISPs' willingness to take action
I'm a little puzzled, and I hope people won't object to my asking about this. As I see it, we're experiencing an ever-increasing flood of garbage network traffic. While not all of it is easy or appropriate to target, it seems to me there's some "low hanging fruit" that could generate serious gains with relatively little investment. A few things that make sense to me (as a non-ISP network consultant) include: 1) Summarily fencing/sandboxing/disconnecting clients sending high volumes of spam, virii, etc. You might politely contact your commercial/static clients first, but anyone connecting a "bare" PC on a broadband circuit is too stupid to deserve coddling. The great majority of your clients would thank you profusely. So far as I can see, detection of serious abusers should pretty straightforward. It wouldn't require any pretense at spam or virus filtering, per se; just pick off the clients that are flagrant sources of the plague of the month. 2) Notwithstanding the above, would it really be so hard to trap network packets bearing clear signatures of the "plague of the month"? Sure, it would create an extra load on routers or require special filtering hardware, but wouldn't it be worth it? Again, no need to be comprehensive; just blast the ones that are easy pickings. 3) There was a thread a little while ago that talked about a way to cut down spam by simply restricting who you would accept SMTP traffic from. Unfortunately, I don't recall the details, but at the time it struck me as eminently sensible, and just required cooperation between ISPs to implement effectively. One problem for the average ISP would be the monitoring and updating of plague control infrastructure. It would probably be a lot easier with a bit of cooperation and sharing -- either that, or someone could get rich offering services to ISPs for a fee. By the way, can anybody explain to me a legitimate use for port 135/137 traffic across the Internet, like it's somebody's private LAN? Seems to me anybody who still thinks that's legitimate is living in the past. So, the big question: why don't ISPs do more of this? Are they afraid of client reaction? Doesn't wash, for me: most clients would be highly grateful, and all it really takes for the remainder is fair warning. Cost? Again, you can judge for yourselves how low the fruit you choose to pick; the biggest gains have the best ROI. Happy clients, liberated bandwidth, faster servers -- what's to loose? /kenw Ken Wallewein CDP,CNE,MCSE,CCA,CCNA K&M Systems Integration Phone (403)274-7848 Fax (403)275-4535 kenw@kmsi.net www.kmsi.net
ken,
---snip--- 3) There was a thread a little while ago that talked about a way to cut down spam by simply restricting who you would accept SMTP traffic from. Unfortunately, I don't recall the details, but at the time it struck me as eminently sensible, and just required cooperation between ISPs to implement effectively. ---snip---
so what you are saying is that you would like to go back to the fidonet days, when site A had to agree to route site B's mail? a deny all, accept some rule for smtp would horribly break all that is good in humanity. am i missing something here? paul
kenw@kmsi.net wrote:
As I see it, we're experiencing an ever-increasing flood of garbage network traffic. While not all of it is easy or appropriate to target, it seems to me there's some "low hanging fruit" that could generate serious gains with relatively little investment.
I agree to an extent, though I think there are much more reasonable places to start rather than adding IDS functionality to ISP routers and moving to whitelist-only SMTP. Anti-spoof/BGP filtering, DoS tracking/sinkholing, working abuse@ addresses, etc. But the problem is with the end-hosts, so a common viewpoint is that this is where the majority of the cleanup work needs to be done. This was discussed at length not long ago.
A few things that make sense to me (as a non-ISP network consultant) include:
1) Summarily fencing/sandboxing/disconnecting clients sending high volumes of spam, virii, etc. You might politely contact your commercial/static clients first, but anyone connecting a "bare" PC on a broadband circuit is too stupid to deserve coddling. The great majority of your clients would thank you profusely.
What if the great majority of your clients are bare PCs on broadband circuits?
So, the big question: why don't ISPs do more of this?
What's the ROI? The costs have to be offset somehow. How easy is it to convince clients to pay more to be your customer because you're more strict on garbage traffic originating from your network relative to your competitors? Many feel that basic preventative measures like the ones I mentioned are things that all ISPs "should" do for the sake of making the Internet a better place, or however you want to phrase it. But the decision makers at a lot of ISPs seem to take a different viewpoint, perhaps because their primary concern, as businesses, are dollar signs. -Terry
On Sun, 26 Oct 2003, Terry Baranski wrote:
What if the great majority of your clients are bare PCs on broadband circuits?
Well, you might just find that small ISPs, then BIG ISPs, stop accepting mail from your dynamic IP customers. As a start. ========================================================== Chris Candreva -- chris@westnet.com -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/
----- Original Message ----- From: <kenw@kmsi.net> To: <nanog@nanog.org> Sent: Sunday, October 26, 2003 8:01 PM Subject: ISPs' willingness to take action
By the way, can anybody explain to me a legitimate use for port 135/137 traffic across the Internet, like it's somebody's private LAN? Seems to me anybody who still thinks that's legitimate is living in the past.
So, the big question: why don't ISPs do more of this? Are they afraid of client reaction? Doesn't wash, for me: most clients would be highly grateful, and all it really takes for the remainder is fair warning. Cost? Again, you can judge for yourselves how low the fruit you choose to pick; the biggest gains have the best ROI.
Happy clients, liberated bandwidth, faster servers -- what's to loose?
Problem is, some applications, like Outlook for example (if I remember correctly), like to use the 135, 137, 139 and others to connect to the Exchange server. You block them, and it will start to croak. You have alot of home users not using a VPN to connect to their office exchange servers. I used to do this myself at times. When you sell a service to someone, and neglect to mention you block certain incoming ports, especially to a possible business user or home user trying to access their office, you put yourself in a really bad position. -------------------------- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org ICQ: 8077511
One significant contributing factor to the lack of care or clue by mid and large size ISPs is the level 1 helldesk. I do not intend to insult anybody who is doing level 1 support, but you are not going to find people with serious network engineering expertise for $12/hour (or when outsourcing tech support for $5/hour to India). Far too many layer 1 people have to deal with clueless users who call in saying "Your mail server is haxxxing my firewall!". How do you seperate the legitimate abuse complaints from the chaff? That said, if somebody has a fast connection, hand-holding them through the process of using Windows Update by phone isn't terribly difficult. I think one of the smartest things a DSL/Cable ISP could do is negotiate a bulk license purchase with an anti-virus software vendor such as Kaspersky (makers of AVP), which can provide licenses for as little as $10 each in bulk. Is $10 per customer per year too much to pay for comprehensive auto-updating virus-scanning of client PCs?
1) Summarily fencing/sandboxing/disconnecting clients sending high volumes of spam, virii, etc. You might politely contact your commercial/static clients first, but anyone connecting a "bare" PC on a broadband circuit is too stupid to deserve coddling. The great majority of your clients would thank you profusely.
So far as I can see, detection of serious abusers should pretty straightforward. It wouldn't require any pretense at spam or virus filtering, per se; just pick off the clients that are flagrant sources of the plague of the month.
----- Original Message ----- From: "Eric Kuhnke" <eric@fnordsystems.com> To: <nanog@merit.edu> Sent: Monday, October 27, 2003 8:34 AM Subject: Re: ISPs' willingness to take action > > One significant contributing factor to the lack of care or clue by mid and > large size ISPs is the level 1 helldesk. I do not intend to insult anybody > who is doing level 1 support, but you are not going to find people with > serious network engineering expertise for $12/hour (or when outsourcing > tech support for $5/hour to India). * It's $9 to $12/hour ... and it isn't the reason that the management is clueless. There are some pretty sharp persons in Level 1 Tech Support, although not a LOT of them. That's why they have such a turnover, the good ones move on to more money. The clueless ones stay there forever. But network engineering expertise isn't the job for Level 1 support anyway ... if they don't know how to handle it, that call or incident should be escalated to another level. There is some level there that has a care or a clue, although that level may be severely constrained by management and budget constraints. I spent a lot of time at level 3 tech support ... handling the escalated calls. (You know, I'm the guy that gets frowned at by the rest of the call center crew when I help a customer with Linux or with a Router ;-) So I know what it is like. If level 1 spent time helping every customer install firewall software, anti-virus software, (and it goes on to residential gateway routers and wireless access devices) then you're gonna need more people to cover the phones. IMHO this is why some ISPs are starting to try and charge more for certain levels of service, including HOME NETWORKING. > > Far too many layer 1 people have to deal with clueless users who call in > saying "Your mail server is haxxxing my firewall!". How do you seperate > the legitimate abuse complaints from the chaff? That said, if somebody has > a fast connection, hand-holding them through the process of using Windows > Update by phone isn't terribly difficult. * Yep, that is true, and it comes both by phone calls as well as email. And again, IMHO, you gotta draw the line somewhere as to what your going to hand-hold for. You start doing Windows Update, and end up hand-holding entire Windows installations ... maybe even Hardware installations. And what is Windows Update going to fix related to Viruses and Spamming anyway? Most users get hand-held going on to sites like: symantec.com to get the virus remove tool. And if that bombs out or they have other serious problems ... they get offered a service call to their home (which they have to pay for) or they can have anyone do the service call for them. > > I think one of the smartest things a DSL/Cable ISP could do is negotiate a > bulk license purchase with an anti-virus software vendor such as Kaspersky > (makers of AVP), which can provide licenses for as little as $10 each in > bulk. Is $10 per customer per year too much to pay for comprehensive > auto-updating virus-scanning of client PCs? > * Hmmmm, $10 per customer times 10,000 or 15,000 or 30,000 or more. And once you open the AV software door, you also have to open the Personal Firewall door. Ohhhh this is getting ugly. The management and bean counters are not gonna like this. What about the many homes with multiple PCs? You have to give them one software package for each PC and Laptop? Might as well throw in that residential gateway and support the whole home network. --- Alan Spicer (a_spicerNOSPAM@bellsouth.net) http://aspicer.homelinux.net/ http://telecom.dyndns.biz/ Systems and Network Administration, and Telecommunications
On Sun, 26 Oct 2003 kenw@kmsi.net wrote:
A few things that make sense to me (as a non-ISP network consultant) include:
Most ISPs are relatively secure. Yes, occasionally a backbone router shows up on some list with a password of "cisco." The major problems are in the systems managed and installed on non-ISP networks (i.e. end-users).
1) Summarily fencing/sandboxing/disconnecting clients sending high volumes of spam, virii, etc. You might politely contact your commercial/static clients first, but anyone connecting a "bare" PC on a broadband circuit is too stupid to deserve coddling. The great majority of your clients would thank you profusely.
Really? Most users are angry when their network connection is interrupted for any reason, including their own mistakes. Read some of the articles in the university newspapers when students were cut of from the network after not fixing their computers. How many people thank police officers when they are stopped for speeding, reckless driving, drunk driving, burned out taillights, etc? Or instead how many say things like the police should be out catching "real" criminals (i.e. anyone other than them)? As a non-ISP consultant, when a client asks you to configure their Exchange server do you always conduct a top-to-bottom security analysis of the client's entire business infrastructure and refuse to do business with them until after they have corrected every deficiency? Or does the client just say screw you, and hires a different consultant that will do what the client wants?
2) Notwithstanding the above, would it really be so hard to trap network packets bearing clear signatures of the "plague of the month"? Sure, it would create an extra load on routers or require special filtering hardware, but wouldn't it be worth it? Again, no need to be comprehensive; just blast the ones that are easy pickings.
Routers (especially high end routers) are barely stable just routing packets. Some high-end line cards don't support even a simple 2-line access control list. With the market currently heading to the lowest price possible, increasing costs doesn't appear to pay even for the niche markets that are interested. Instead the extra equipment is installed where there are clients willing to pay for it. The easiest, most effective place to catch packets is at the edge/end-users. An end-user firewall is $0-$50. Anywhere in the core is very difficult. What is the cost of a single OC192 firewall? Look at the post office, it doesn't try to find Anthrax in most of the mail. Instead a few locations at the edge of the postal system, e.g. the White House, Congress, etc, have added security precautions. The rest of the mail just flys through the system.
3) There was a thread a little while ago that talked about a way to cut down spam by simply restricting who you would accept SMTP traffic from. Unfortunately, I don't recall the details, but at the time it struck me as eminently sensible, and just required cooperation between ISPs to implement effectively.
Again, look the postal mail system. One proposal required everyone mail letters in person at the post office, and show id to the postal clerk. The problem is it really doesn't solve the problem. Third-party trust systems don't scale well beyone one or two degrees of separation. And there is only one major postal system. But it doesn't require cooperation from the ISP to accept mail from only people you know. You can do that today. The question is why don't more people do it? The ISP doesn't know who you know. Should ISPs require you to register your friends & family in order to receive mail? I don't know if it has come to that. And we all know how effective Caller-ID has been in cutting down telemarketing phone calls at dinner time. And the related caller-id blocking, and block caller-id blocking, and block block caller-id blocking, etc.
By the way, can anybody explain to me a legitimate use for port 135/137 traffic across the Internet, like it's somebody's private LAN? Seems to me anybody who still thinks that's legitimate is living in the past.
Bits on the wire using ports 135/137 are not intrinsically less safe than any other bits. And vendors have shown a willingness to add ways around port filters in the network, not by developing more secure protocols but by developing ways to send the same packets between insecure systems on other ports. Sendmail and BIND have more CERT/CC advisories than any other application, including NETBIOS. How many people are suggesting blocking port 53 and port 25?
So, the big question: why don't ISPs do more of this? Are they afraid of client reaction? Doesn't wash, for me: most clients would be highly grateful, and all it really takes for the remainder is fair warning. Cost? Again, you can judge for yourselves how low the fruit you choose to pick; the biggest gains have the best ROI.
Happy clients, liberated bandwidth, faster servers -- what's to loose?
Angry clients, increased bandwidth costs, slower servers doing more checks? ISPs are doing a lot to protect end-users. Some examples include Education campaigns Free anti-virus software Free personal firewall software Port filters (port 80 anyone?) Notification of compromised systems Incident Response Intrusion Detection/Intrusion Prevention Managed Security Services Unfortunately some of the argument is a bit like the old cries for public payphone companies were responsible for the drug dealers in poor neighborhoods. So they removed public payphones. The drug dealing problem wasn't solved.
On 27 Oct 2003, at 10:25, Sean Donelan wrote:
Most ISPs are relatively secure. Yes, occasionally a backbone router shows up on some list with a password of "cisco." The major problems are in the systems managed and installed on non-ISP networks (i.e. end-users).
Maybe all the ISPs I've been involved with in the past ten years have been exceptions, but there are only a small handful of them that I would elevate to the status of "relatively secure".
Really? Most users are angry when their network connection is interrupted for any reason, including their own mistakes.
Every now and then some acquaintance or relative hauls me in my capacity as unpaid "computer expert", so that I can stare bemusedly at their windows problem and mutter things like "buy a mac" under my breath. My experience every time is that end users are amazingly tolerant of breakage. The fact that there are popups all over the screen, or that it takes five minutes to open their mail client, or that machines freeze up every ten minutes and require a hard boot appear to be simply accommodated as "that's what computers do".
As a non-ISP consultant, when a client asks you to configure their Exchange server do you always conduct a top-to-bottom security analysis of the client's entire business infrastructure and refuse to do business with them until after they have corrected every deficiency? Or does the client just say screw you, and hires a different consultant that will do what the client wants?
When I was a consultant, I was never sufficiently mercenary to ask for money in return for what I *knew* to be bad advice. I'd far rather they buy their bad advice elsewhere. Joe
On Mon, 27 Oct 2003, Joe Abley wrote:
Most ISPs are relatively secure. Yes, occasionally a backbone router shows up on some list with a password of "cisco." The major problems are in the systems managed and installed on non-ISP networks (i.e. end-users).
Maybe all the ISPs I've been involved with in the past ten years have been exceptions, but there are only a small handful of them that I would elevate to the status of "relatively secure".
That's why I said relative. I didn't say they were very secure or had great security. But when out-running the bear you don't have to be faster than the bear, just faster than than the other guy. If you compared the "average" ISP security with the "average" end-user security, relatively speaking which would be more secure? Of course, we all have some relatives we'd prefer not to invite to holiday dinner.
My experience every time is that end users are amazingly tolerant of breakage. The fact that there are popups all over the screen, or that it takes five minutes to open their mail client, or that machines freeze up every ten minutes and require a hard boot appear to be simply accommodated as "that's what computers do".
They are amazingly toloerant of "that's what computers do." They are amazingly intolorant when someone else "breaks" it.
On Mon, 27 Oct 2003 10:25:36 -0500 (EST), you wrote:
... As a non-ISP consultant, when a client asks you to configure their Exchange server do you always conduct a top-to-bottom security analysis of the client's entire business infrastructure and refuse to do business with them until after they have corrected every deficiency? Or does the client just say screw you, and hires a different consultant that will do what the client wants? ...
I said "low hanging fruit". I didn't say "top-to-bottom security analysis".
...
3) There was a thread a little while ago that talked about a way to cut down spam by simply restricting who you would accept SMTP traffic from. Unfortunately, I don't recall the details, but at the time it struck me as eminently sensible, and just required cooperation between ISPs to implement effectively.
Does NOBODY remember that thread?
Again, look the postal mail system. One proposal required everyone mail letters in person at the post office, and show id to the postal clerk.
Straw dogs... come on! It's like saying we can't take drastic, inappropriate measures, so we can't take any at all.
... ISPs are doing a lot to protect end-users. Some examples include
Education campaigns Free anti-virus software Free personal firewall software Port filters (port 80 anyone?) Notification of compromised systems Incident Response Intrusion Detection/Intrusion Prevention Managed Security Services
And if all ISPs were doing all these thing (as you try to imply) we'd all be a lot better off, wouldn't we?
Unfortunately some of the argument is a bit like the old cries for public payphone companies were responsible for the drug dealers in poor neighborhoods. So they removed public payphones. The drug dealing problem wasn't solved.
"A strong conviction that something must be done is the parent of many bad measures." -- Daniel Webster So, am I advocating bad measures? /kenw Ken Wallewein CDP,CNE,MCSE,CCA,CCNA K&M Systems Integration Phone (403)274-7848 Fax (403)275-4535 kenw@kmsi.net www.kmsi.net
On Mon, 27 Oct 2003 kenw@kmsi.net wrote:
I said "low hanging fruit". I didn't say "top-to-bottom security analysis".
If I fixed every computer on the Internet today, tomorrow Microsoft would sell 17,000 new insecure installs of Windows. Low-hanging fruit would be to get Microsoft to change its defaults. Then instead tomorrow, there would be 17,000 new "secure" installs of Windows.
Does NOBODY remember that thread?
I remember it well. I also remember ISPs removing the filters after a few hours/days due to customer complaints because the applications they wanted to use across the Internet stopped working. Why shouldn't people be able to use NETBIOS, or Telnet or FTP or any other insecure protocol across the Internet? The security problems aren't due to the packets crossing the Internet. The security problems happen when the packets reach an insecure end-host. It is possible to use NETBIOS securely across the Internet withOUT a VPN. I wouldn't recommend it, but I don't understand why ISPs should prohibit the use of any particular 16-bit port number in a TCP/UDP header.
And if all ISPs were doing all these thing (as you try to imply) we'd all be a lot better off, wouldn't we?
And are you implying ISPs aren't doing anything?
So, am I advocating bad measures?
Naive measures.
On Mon, 27 Oct 2003 10:25:36 -0500 (EST), Sean Donelan wrote:
Again, look the postal mail system. One proposal required everyone mail letters in person at the post office, and show id to the postal clerk. The problem is it really doesn't solve the problem. Third-party trust systems don't scale well beyone one or two degrees of separation. And there is only one major postal system.
Side note: This is already underway. USPS is starting with "bulk discount" mail but has published plans to extend same to all stamps. ..... The US Postal Service proposed a new rule in the Federal Register today that would require senders of discounted mail to identify themselves on the envelope/package. Although individuals typically do not use discounted mail, it is clear from the information in the rule that USPS is moving toward sender identification for all mail users. Check out the last sentence: [...] "As background, two congressional committees urged the Postal Service to explore the concept of sender identification, including ``the feasibility of using unique, traceable identifiers applied by the creator of the mail piece.'' S. Rept. 107-212, p. 50; see also H. Rept. 107-575, p. 46. The President's Commission on the United States Postal Service recently recommended the use of sender identification for every piece of mail. ``Embracing the Future,'' Report of the President's Commission on the United States Postal Service (July 31, 2003) pp. 147-8. Requiring sender-identification for discount rate mail is an initial step on the road to intelligent mail." http://a257.g.akamaitech.net/7/257/2422/14mar20010800/edocket.access .gpo.gov/2003/03-26438.htm http://a257.g.akamaitech.net/7/257/2422/14mar20010800/edocket.access .gpo.gov/2003/pdf/03-26438.pdf & http://www.washingtontimes.com/national/20031026-124606-8419r.htm 'Smart stamps' next in war on terrorism By Audrey Hudson Published October 26, 2003 Sending an anonymous love letter or an angry note to your congressman? The U.S. Postal Service will soon know who you are. Beginning with bulk or commercial mail, the Postal Service will require "enhanced sender identification" for all discount-rate mailings, according to the notice published in the Oct. 21 Federal Register. The purpose of identifying senders is to provide a more efficient tracking system, but more importantly, to "facilitate investigations into the origin of suspicious mail." ....... -- A host is a host from coast to coast.................wb8foz@nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433
Smart Stamps and the phony war on terrorism for more money is a crock -HRL David Lesher <wb8foz@nrk.com> wrote: On Mon, 27 Oct 2003 10:25:36 -0500 (EST), Sean Donelan wrote:
Again, look the postal mail system. One proposal required everyone mail letters in person at the post office, and show id to the postal clerk. The problem is it really doesn't solve the problem. Third-party trust systems don't scale well beyone one or two degrees of separation. And there is only one major postal system.
Side note: This is already underway. USPS is starting with "bulk discount" mail but has published plans to extend same to all stamps. ..... The US Postal Service proposed a new rule in the Federal Register today that would require senders of discounted mail to identify themselves on the envelope/package. Although individuals typically do not use discounted mail, it is clear from the information in the rule that USPS is moving toward sender identification for all mail users. Check out the last sentence: [...] "As background, two congressional committees urged the Postal Service to explore the concept of sender identification, including ``the feasibility of using unique, traceable identifiers applied by the creator of the mail piece.'' S. Rept. 107-212, p. 50; see also H. Rept. 107-575, p. 46. The President's Commission on the United States Postal Service recently recommended the use of sender identification for every piece of mail. ``Embracing the Future,'' Report of the President's Commission on the United States Postal Service (July 31, 2003) pp. 147-8. Requiring sender-identification for discount rate mail is an initial step on the road to intelligent mail." http://a257.g.akamaitech.net/7/257/2422/14mar20010800/edocket.access .gpo.gov/2003/03-26438.htm http://a257.g.akamaitech.net/7/257/2422/14mar20010800/edocket.access .gpo.gov/2003/pdf/03-26438.pdf & http://www.washingtontimes.com/national/20031026-124606-8419r.htm 'Smart stamps' next in war on terrorism By Audrey Hudson Published October 26, 2003 Sending an anonymous love letter or an angry note to your congressman? The U.S. Postal Service will soon know who you are. Beginning with bulk or commercial mail, the Postal Service will require "enhanced sender identification" for all discount-rate mailings, according to the notice published in the Oct. 21 Federal Register. The purpose of identifying senders is to provide a more efficient tracking system, but more importantly, to "facilitate investigations into the origin of suspicious mail." ....... -- A host is a host from coast to coast.................wb8foz@nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433
On Sun, 26 Oct 2003 kenw@kmsi.net wrote:
A few things that make sense to me (as a non-ISP network consultant) include:
1) Summarily fencing/sandboxing/disconnecting clients sending high volumes of spam, virii, etc. You might politely contact your commercial/static clients first, but anyone connecting a "bare" PC on a broadband circuit is too stupid to deserve coddling. The great majority of your clients would thank you profusely.
An article appeared today on The Register, talking about people connecting "bare" machines to the net. It discusses the level of clue posessed by the "typical American computer user" and is quite a sobering read. From the article: "I'm here to tell the security pros reading this that we are in deeeeeep trouble when it comes to securing the computers of these people. "Security is just not a concept that "normal" folks focus on. It's not even on the radar screen. It's just not thought about at all." Online at http://www.theregister.co.uk/content/56/33599.html Cheers, Jonathan
Please bear in mind that much of this might be my take on viability, practicality, or past activity related to some of these suggestions. Moreover, this may not represent even my own opinions on the appropriate course of action. Inline... On Sun, Oct 26, 2003 at 06:01:09PM -0700, kenw@kmsi.net said something to the effect of:
..snip snip..>
1) Summarily fencing/sandboxing/disconnecting clients sending high volumes of spam, virii, etc. You might politely contact your commercial/static clients first, but anyone connecting a "bare" PC on a broadband circuit is too stupid to deserve coddling.
Unfortunately, you have described the standard home user. Would love to think that most have trusty firewalls guarding meticulously-patched (non-Windows) boxen, but... I expect our customers to watch their own backs, heed our admonitions, and go so far to hope that they find the appropriate clues to be responsible, but I can't imagine someone like Cox or CW or AOL or somesuch other alienating a prevailing chunk of their customer base with one nasty-gram followed by clobbering a switch port.
The great majority of your clients would thank you profusely.
I beg to differ on the last line. The happy ones would say nothing. And we may not be able to hear them if they did over the yowling from the unhappy ones who do not understand why we would do such a thing. I may be wrong, but it seems to me that most of us (service providers, that is) have some degree of a more involved customer notification process that must be followed before we can begin swinging the ax like that. Contractual obligation may often preclude a provider's harsh response to abusive or patently irresponsible network activity more often than failure to notice or give a flying fsck that it has transpired.
2) Notwithstanding the above, would it really be so hard to trap network packets bearing clear signatures of the "plague of the month"?
<not_sarcasm> Trap and do what with? </not_sarcasm>
Sure, it would create an extra load on routers or require special filtering hardware, but wouldn't it be worth it? Again, no need to be comprehensive; just blast the ones that are easy pickings.
Any other ISP that toyed with/deployed the filtering NetBIOS and/or 92-byte ICMP packets will remember how grossly unpopular we became for doing so. Accusations by customers and downstream engineers alike branded us fascist iconoclasts with no consideration for the aphoristic hands that feed us, and complete disregard for the needs of those who pay us for the evil service we restrict providing. Search the convocations (circa 08/2003) on this list even to get a feel for the dissent among the ranks regarding the feasibility and wired morality of such an action. Another trickier problem is fueled by the nature of the sploit-du-jour. If some lamer opts to poke surreptitious holes or generate static by way of a random, obscure, generally ignored port, the choice to filter is not as difficult a one, beyond *poof* conjuring up resources to reign in the resulting management nightmare. However, whether it be because of the inherently pregnable code or a malware creator's awareness of the impracticality (read: near impossibility) of recon and restricition of certain types of traffic, many of these evasive maneuvers can ride the clown car across critical service ports. Forget crippling a network by filtering them, which is frequently the case; we wind up in some seriously hot water for violating customer contracts, which forbid selective inhibition of legit traffic along with the anomolous. It becomes a dichotomy of casualties of war vs. curing the disease by killing the patient. (fwiw...i break more than my fair share of eggs...) To balance and consider both factions, providers are being tasked with stepping up to the plate and scrutinizing large streams of traffic to discern between the good and the bad based on other criteria. So now we're faced with other issues that require extremely intuitive and invasive packet inspection. Some of this is vaporware and is still skating around conference tables of pitch men all over the place, others are gaining credibility and becoming technologies many providers are striving toward actualizing. Intrusion and extrusion detection are fabulous...nay...will set you free...and ultimately necessary things, but some of what I'm seeing suggested here borders on impossible to put to work without absurd overhead or flirting with serious invasion of privacy. For the record, I am by no means disagreeing with the logic of the suggestion, but am merely playing experienced devil's advocate among those who may still be sporting the collective bruise from past actions of this sort.
3) There was a thread a little while ago that talked about a way to cut down spam by simply restricting who you would accept SMTP traffic from. Unfortunately, I don't recall the details, but at the time it struck me as eminently sensible, and just required cooperation between ISPs to implement effectively.
There have also been numerous threads from a little while ago flaming AOL and the like for deploying whitelist-type or no-auth-no-pass countermeasures for spam. Again, I don't know what the right answer here is, but I can see that, like every other coin, there are two diametrically opposed sides and teams going to bat over this issue. Perhaps the fault, dear Brutus, in this particular case continues to lie more inarguably and blatantly than ever with the end users and in smtp itself, which may honestly be dead. Clearly the protocol was not meant to withstand the rigors and abuse (no pun intended) to which it is nowadays being subjected. Its design over 20 years ago was intended to service a kinder, gentler, more honest, and less devious Internet. Perhaps, if we're looking to do the responsible thing and undo spam damage (and other similar ilks), we should belly up to the bar and work to bolster the protocols and technologies. That may be all the more hand we as technologists can have in the matter.
One problem for the average ISP would be the monitoring and updating of plague control infrastructure. It would probably be a lot easier with a bit of cooperation and sharing -- either that, or someone could get rich offering services to ISPs for a fee.
Average ISP, as in, what size? Tier 1? 2? 3? Managed service provider?
By the way, can anybody explain to me a legitimate use for port 135/137 traffic across the Internet, like it's somebody's private LAN? Seems to me anybody who still thinks that's legitimate is living in the past.
That would be Microsoft. NetBIOS has no business on the Internet. End of story.
So, the big question: why don't ISPs do more of this? Are they afraid of client reaction? Doesn't wash, for me: most clients would be highly grateful, and all it really takes for the remainder is fair warning. Cost?
Fair warning gives spammers time to migrate addresses and infected users time to infect countless others. And the customers will not be unusually happy; they have a right to expect exemplary service, as they are promised and pay for it. I don't imagine that most of our subscribers are phoning in to confirm and praise receipt of five-9s.
Again, you can judge for yourselves how low the fruit you choose to pick; the biggest gains have the best ROI.
One last time...I agree with you that ISPs need to keep an eye on their brood. I'm simply offering gentle explanations of why, perhaps, providers haven't been able to more neatly and elegantly (and swiftly) mitigate the burdens you note with the suggestions you raise. With that, regarding your last point... Be careful what you wish for. Let's do it! But...this will take everyone's participation to work. I can see it now...sleazier ISPs will sell 135-139 access wide open on the black market by way of some crazy out-of-the-way transit hole... ;)
Happy clients, liberated bandwidth, faster servers -- what's to loose?
Show me the first and I'll be much quicker to follow. I'd settle for the tooth fairy sometimes, as I'm not sure those happy clients really exist... ;) Best of luck to you. Let me know if you find the answer? I'll put cycles behind a worthy cause anyday... ymmv, --ra -- K. Rachael Treu, CISSP rara@navigo.com ..this blurb has been brought to you by the letters 'v' and 'i'.. -- I am an employee of, but do not necessarily represent herein, Global Crossing, Ltd. --
On Sun, Oct 26, 2003 at 06:01:09PM -0700, kenw@kmsi.net said:
I'm a little puzzled, and I hope people won't object to my asking about this.
As I see it, we're experiencing an ever-increasing flood of garbage network traffic. While not all of it is easy or appropriate to target, it seems to me there's some "low hanging fruit" that could generate serious gains with relatively little investment.
A few things that make sense to me (as a non-ISP network consultant) include:
[snip] Some good thoughts in this thread. I think Sean is right about this being an end-user problem, and although we _can_ mitigate that problem somewhat at other parts of the network, that amounts to treating the symptoms rather than the disease. The 3 things that would do the most to help eliminate this problem (millions of easily 0wned end-user hosts) right now are all things that lie in Microsoft's domain: 1) enable Internet Connection Firewall by default; 2) enable automatic Windows Update patch installation by defuault; [*] 3) modify the HTML engine in Outlook/OE such that it can ONLY render HTML, and any active content is ignored - in other words, replace MSIE as a backend HTML rendering engine with, say, lynx. [**] (and even if the above were all incorporated into all subsequent releases of Windows, it might take years before the old insecure hosts were finally replaced ...) Nothing new to this crowd, I'm sure, but I sure wish there was a way to make this a priority to the folks at MS, who are really the only people with the ability to make this happen. Without their compliance, the problem will never improve (not as long as they're as dominant as they currently are). -- Scott Francis || darkuncle (at) darkuncle (dot) net illum oportet crescere me autem minui [*] I'm well aware of the potential disaster were the WindowsUpdate site to be trojaned. However, corporate IT should be updating from a single server by the schedule of their windows admins, and for everybody else ... it couldn't be much worse than the current state of affairs. [**] I've given up on hoping that email will return to the plain old text it was intended to be. I'm in the minority on that opinion, and I'm willing to settle for HTML in email if it can be rendered in a non-harmful manner (i.e. plain vanilla HTML only).
Top posting self-reply: looks like a lot of what I've suggested may have finally been acknowledged by MS, according to a recent Register.co.uk article. http://www.theregister.co.uk/content/56/33599.html We can only hope ... -- Scott Francis || darkuncle (at) darkuncle (dot) net illum oportet crescere me autem minui On Mon, Nov 03, 2003 at 03:05:03PM -0800, darkuncle@darkuncle.net said: [snip]
The 3 things that would do the most to help eliminate this problem (millions of easily 0wned end-user hosts) right now are all things that lie in Microsoft's domain:
1) enable Internet Connection Firewall by default; 2) enable automatic Windows Update patch installation by defuault; [*] 3) modify the HTML engine in Outlook/OE such that it can ONLY render HTML, and any active content is ignored - in other words, replace MSIE as a backend HTML rendering engine with, say, lynx. [**]
(and even if the above were all incorporated into all subsequent releases of Windows, it might take years before the old insecure hosts were finally replaced ...)
Nothing new to this crowd, I'm sure, but I sure wish there was a way to make this a priority to the folks at MS, who are really the only people with the ability to make this happen. Without their compliance, the problem will never improve (not as long as they're as dominant as they currently are). -- Scott Francis || darkuncle (at) darkuncle (dot) net illum oportet crescere me autem minui
[*] I'm well aware of the potential disaster were the WindowsUpdate site to be trojaned. However, corporate IT should be updating from a single server by the schedule of their windows admins, and for everybody else ... it couldn't be much worse than the current state of affairs.
[**] I've given up on hoping that email will return to the plain old text it was intended to be. I'm in the minority on that opinion, and I'm willing to settle for HTML in email if it can be rendered in a non-harmful manner (i.e. plain vanilla HTML only).
Scott Francis wrote:
Top posting self-reply: looks like a lot of what I've suggested may have finally been acknowledged by MS, according to a recent Register.co.uk article. http://www.theregister.co.uk/content/56/33599.html
We can only hope ...
I read that article when it was new, a long article, however a damn good read, and IMO worth 10 minutes to read it properly. Yours Mat
participants (15)
-
Alan Spicer
-
Brian Bruns
-
Christopher X. Candreva
-
David Lesher
-
Eric Kuhnke
-
Henry Linneweh
-
Joe Abley
-
Jonathan Hunter
-
kenw@kmsi.net
-
Matthew Sullivan
-
Paul G
-
Rachael Treu
-
Scott Francis
-
Sean Donelan
-
Terry Baranski