Re: mitigating botnet C&Cs has become useless
On Sat, 5 Aug 2006 17:17:27 -0400 (EDT), Sean Donelan typed:
Railroads have the railroad police. The Post Office has postal inspectors. Do we want to give ISP security the power to arrest people?
We (ISPs) already do have that power, we can disconnect misbehaving subscribers. And in cases like this, we should keep them off the 'net until they've cleaned up their PC. And besides doing that, we should educate our subs on how to properly maintain their PC (installing and keeping up-to-date antivirus software, patch the OS on a regular basis, you know the drill). I don't think hunting down the botnet operator is going to solve the problem. If I were to setup a botnet, I'd have many layers of machines (in as many different countries as possible) and protocols between me and the drones that do my dirty work. So, yeah, it can be solved (OK, to a large extend) by manpower, but as someone else already mentioned, it's a case of ROI. And, as usual, security is only costing you money..... Gr, Arjan H
On Tuesday 08 Aug 2006 15:03, you wrote:
And, as usual, security is only costing you money.....
To a first approximation 10% of all incoming net traffic is malware/abuse/junk related, so if you are a residential ISP presumably 10% of outgoing bandwidth is swallowed up this way. So there are savings to be made, of course the economies work against it, as it is generally cheaper to by bandwidth in bulk, than deal with individual cases. However most big residential ISPs must be getting to the point where 10% bandwidth saving would justify buying in third party solutions for containing malware sources. I assume residential ISPs must be worse than 10%, as I hope businesses do slightly better on average. On the upside, over here, the migration to ADSL, means that "containing" an infected host via a third party can be as simple as changing the ADSL settings so they connect to a third party walled garden rather than the host ISP (effectively transferring them to a different ISP, just one who exists solely for cleaning up infected systems).
On Tue, 8 Aug 2006, Simon Waters wrote:
However most big residential ISPs must be getting to the point where 10% bandwidth saving would justify buying in third party solutions for containing malware sources. I assume residential ISPs must be worse than
The problem here is that if you build your network "right", ie just IP routing and no tunneling, you don't get a natural choke-point on where to put any kind of solution like you propose. When I did the business calculations on DSL solution my math told me it cost approx the same (or even cheaper) to just provide internet capacity than to offer bitstream/tunneling. The devices involved in the tunneling cost more than actually providing global internet bandwidth and not doing any tunneling at all. It's also a much cleaner solution with fewer places than can break or cause problems. You have a clean 1500 MTU all the way, etc. So in all of thise, if the 10% figure is correct then it's cheaper to just waste those 10% for the residential ISP than to try to stop it, so I'd have to agree with the people in the thread who said that. It might not be the right thing, but the economics for the residential ISP it costs a lot to try to be proactive about these things, especially since botnets can send just a little traffic per host and it's hard to even detect. -- Mikael Abrahamsson email: swmike@swm.pp.se
Mikael Abrahamsson wrote:
On Tue, 8 Aug 2006, Simon Waters wrote:
However most big residential ISPs must be getting to the point where 10% bandwidth saving would justify buying in third party solutions for containing malware sources. I assume residential ISPs must be worse than
[snip]
It might not be the right thing, but the economics for the residential ISP it costs a lot to try to be proactive about these things, especially since botnets can send just a little traffic per host and it's hard to even detect.
Last sunday at DEFCON I explained how one consumer ISP cost American business $29M per month because of the existence of key-logging botnets. you want to talk economics? Its not complicated to show that mitigating key-logging bots could save American business 2B or 4% of =losses to identity theft -- using FTC loss estimates from 2003 just because an ISP looses some money over transit costs does not equate to the loss american business+consumers are loosing to fraud. sorry, DEFCON slides aren't up anywhere yet. drop me a note if you'd like a copy. -rick
On Tue, 8 Aug 2006, Rick Wesson wrote:
Last sunday at DEFCON I explained how one consumer ISP cost American business $29M per month because of the existence of key-logging botnets.
you want to talk economics? Its not complicated to show that mitigating key-logging bots could save American business 2B or 4% of =losses to identity theft -- using FTC loss estimates from 2003
just because an ISP looses some money over transit costs does not equate to the loss american business+consumers are loosing to fraud.
I am sure that the total cost would be less if everybody cleaned up their act. It doesn't change the fact that the individual ISP has to spend money it will never see returns on, for this common good to emerge. If the government wants to do this, then I guess it should start demanding responsibility from individuals as well, otherwise I don't see this happening anytime soon. Microsoft has a big cash reserve, perhaps the US government should start demanding them clean up their act and release more secure products, and start fining people who don't use their products responsibly. Oh, and go after the companies installing spyware, in ernest? And to find these, they have to start wiretapping everybody to collect the information they need. Otoh this added security might add up to more losses than 2B per year in less functionality and more administration and procedures (overhead), so perhaps those 2B is the price we pay for freedom and liberty in this space? Always hard to find the balance. -- Mikael Abrahamsson email: swmike@swm.pp.se
Mikael Abrahamsson wrote:
On Tue, 8 Aug 2006, Rick Wesson wrote:
Last sunday at DEFCON I explained how one consumer ISP cost American business $29M per month because of the existence of key-logging botnets.
you want to talk economics? Its not complicated to show that mitigating key-logging bots could save American business 2B or 4% of =losses to identity theft -- using FTC loss estimates from 2003
just because an ISP looses some money over transit costs does not equate to the loss american business+consumers are loosing to fraud.
I am sure that the total cost would be less if everybody cleaned up their act. It doesn't change the fact that the individual ISP has to spend money it will never see returns on, for this common good to emerge.
If the government wants to do this, then I guess it should start demanding responsibility from individuals as well, otherwise I don't see this happening anytime soon. Microsoft has a big cash reserve, perhaps the US government should start demanding them clean up their act and release more secure products, and start fining people who don't use their products responsibly. Oh, and go after the companies installing spyware, in ernest? And to find these, they have to start wiretapping everybody to collect the information they need.
I remember working in the sysops group of a big company we made our own law: Leaving your terminal without logoff would cost you a bottle of cognac. Writing your password under the keyboard would cost you a bottle of cognac. ... My boss used to have stomach aches. That is why arround noon you would find most of us in the machine room - sorting tapes :) It was the coldest place in the building. Right to cool down our red faces :) It might be cool if an ISP was to charge his costumers a bottle of Pepsi everytime they got hacked. It might be even more cool if the costumer succeeded to charge Microsoft if they were the culprit :)
Otoh this added security might add up to more losses than 2B per year in less functionality and more administration and procedures (overhead), so perhaps those 2B is the price we pay for freedom and liberty in this space?
Always hard to find the balance.
No more balance after that bottle of cognac :) Cheers Peter and Karin -- Peter and Karin Dambier Cesidian Root - Radice Cesidiana Graeffstrasse 14 D-64646 Heppenheim +49(6252)671-788 (Telekom) +49(179)108-3978 (O2 Genion) +49(6252)750-308 (VoIP: sipgate.de) mail: peter@peter-dambier.de mail: peter@echnaton.serveftp.com http://iason.site.voila.fr/ https://sourceforge.net/projects/iason/
On Tue, 8 Aug 2006, Rick Wesson wrote:
Last sunday at DEFCON I explained how one consumer ISP cost American business $29M per month because of the existence of key-logging botnets.
Why did you attribute responsibility for the cost only to the consumer ISP? How much of the cost should be attributed the PC OEM, or the software developers, or the American business, or the ....? If the consumer changes to a different consumer ISP, are they now secure? Or is the same compromised computer still compromised regardless of what ISP the consumer uses? On the other hand, if the consumer changes from one popular brand of operating system to a different brand of operating system, or doesn't use P2P software, or doesn't download free naked celeberties has their risk exposure to key-logging botnets changed? Even if they keep the same ISP? If the risk stays the same with different ISPs, but the risk changes when you change something besides the ISP, perhaps it would be better to associate the cost with the things that more directly affect the risk.
you want to talk economics? Its not complicated to show that mitigating key-logging bots could save American business 2B or 4% of =losses to identity theft -- using FTC loss estimates from 2003
What are the economics of American businesses mitigating key-logging bots? How much security would you get for an additional $20 per year per on-line user? Spending more than the losses wouldn't save American business money. How much of a difference would it make? How many American businesses provide "free" security software or one-time tokens or smarcards to their online customers? How long did it take criminals in Europe to figure out how to get around those security measures? How many banks pay to fix their customers' computers after a key-logger bot steals their bank account information? Why don't banks re-issue credit cards or notify their customers after every report of a compromised account?
just because an ISP looses some money over transit costs does not equate to the loss american business+consumers are loosing to fraud.
Postal inspectors have the authority to investigate and arrest people for mail fraud. Where are the Internet inspectors with the authority to arrest people?
this isn't fun, comments in line. Sean Donelan wrote:
On Tue, 8 Aug 2006, Rick Wesson wrote:
Last sunday at DEFCON I explained how one consumer ISP cost American business $29M per month because of the existence of key-logging botnets.
Why did you attribute responsibility for the cost only to the consumer ISP? How much of the cost should be attributed the PC OEM, or the software developers, or the American business, or the ....?
Because the numbers are significant. Finding any entity that could provide a choke-point for 4% of business side id-theft is an interesting exercise and of significant value to the community.
you want to talk economics? Its not complicated to show that mitigating key-logging bots could save American business 2B or 4% of =losses to identity theft -- using FTC loss estimates from 2003
What are the economics of American businesses mitigating key-logging bots?
there is no detectable mitigation, the slope of the infection rate continues to rise.
How much security would you get for an additional $20 per year per on-line user? Spending more than the losses wouldn't save American business money.
depends on how it is spent -rick
On Tue, 8 Aug 2006, Rick Wesson wrote:
Last sunday at DEFCON I explained how one consumer ISP cost American business $29M per month because of the existence of key-logging botnets.
Why did you attribute responsibility for the cost only to the consumer ISP? How much of the cost should be attributed the PC OEM, or the software developers, or the American business, or the ....?
Because the numbers are significant. Finding any entity that could provide a choke-point for 4% of business side id-theft is an interesting exercise and of significant value to the community.
Ok, so the ISPs weren't actually responsible for the cost, you are just choosing ISPs as a convenient mechanism to impose controls on the Internet. How do you intend to compensate the ISP for providing this valuable service to the American business community? Are American businesses going to get together and pay for it? Or are you expecting ISPs to charge consumers more to connect to the Internet in order to pay for it? Or would the money be better spent by American businesses improving their ID checking so the problem of id-theft could be addressed regardless of the information was obtained by criminals, from computers, trash cans, phishing, online information brokers, etc.
On Tue, 8 Aug 2006, Arjan Hulsebos wrote:
We (ISPs) already do have that power, we can disconnect misbehaving subscribers. And in cases like this, we should keep them off the 'net until they've cleaned up their PC.
Botnet C&Cs are not naturally occuring phenomena. Relying only on defensive security, and not arresting the criminals, will just result in the criminals becoming bolder and more aggressive. In most cases ISPs are just taking action against innocent bystanders that got hit in the cross-fire. Those bystanders aren't the cause. If you let the criminals continue trying over and over again, you are just training them to become better shots. Telling your customers they should wear bullet-proof vests whenever they go outside isn't going to stop snippers. Arresting the snipper is going to stop the snipper.
--On August 8, 2006 12:06:42 PM -0400 Sean Donelan <sean@donelan.com> wrote:
On Tue, 8 Aug 2006, Arjan Hulsebos wrote:
We (ISPs) already do have that power, we can disconnect misbehaving subscribers. And in cases like this, we should keep them off the 'net until they've cleaned up their PC.
Botnet C&Cs are not naturally occuring phenomena. Relying only on defensive security, and not arresting the criminals, will just result in the criminals becoming bolder and more aggressive.
In most cases ISPs are just taking action against innocent bystanders that got hit in the cross-fire. Those bystanders aren't the cause. If you let the criminals continue trying over and over again, you are just training them to become better shots. Telling your customers they should wear bullet-proof vests whenever they go outside isn't going to stop snippers. Arresting the snipper is going to stop the snipper.
Yup this is a social problem. Just like there's nothing actually stopping any of us from beating up a guy on the street, we don't do it because it isn't legal, doesn't make sense, etc. Some muggers do, the people in control of the SPAM problem are the muggers....the people with infected systems are just the ones who've been mugged.
--On August 8, 2006 4:03:36 PM +0200 Arjan Hulsebos <arjan.hulsebos@gmail.com> wrote:
On Sat, 5 Aug 2006 17:17:27 -0400 (EDT), Sean Donelan typed:
Railroads have the railroad police. The Post Office has postal inspectors. Do we want to give ISP security the power to arrest people?
We (ISPs) already do have that power, we can disconnect misbehaving subscribers. And in cases like this, we should keep them off the 'net until they've cleaned up their PC.
That's a nice idea, except how? How do you prove a user has gotten the malware off and patched? And further how can they do that without internet access? Hint, FWIR, it's not legal for us to distribute MS's patches to our subs. So how do you propose that? Some customers will fix themselves, some will just cancel and find an ISP that doesn't care they're spewing spam and worm traffic all the while complaining about how slow their internet service is. I'm really seriously interested, and I'm not trying to be a flaming troll-bait here. This is a *huge* problem. You can turn off a user sure enough, but how do you know it's OK to let that user back on.
And besides doing that, we should educate our subs on how to properly maintain their PC (installing and keeping up-to-date antivirus software, patch the OS on a regular basis, you know the drill).
And how is it our responsibility to educate users? I don't think it necessarily is. However because noone else is and we're all the ones most hurt by it we're forced to.
participants (7)
-
Arjan Hulsebos -
Michael Loftis -
Mikael Abrahamsson -
Peter Dambier -
Rick Wesson -
Sean Donelan -
Simon Waters