Re: botnets: web servers, end-systems and Vint Cerf

michael.dillonbt.com wrote:
>
> You misunderstand. The problem of securing machines
*IS* solved. It is
> possible. It is regularly done with servers connected
to the Internet.
> There is no *COMPUTING* problem or technical problem.
> The problem of the 100 million machines is a social or
business problem.
> We know how they can be secured, but the solution is
not being
> implemented.
>
> --Michael Dillon
>   

After all these years, I'm still surprised a consortium of
ISP's haven't 
figured out a way to do something a-la Packet Fence for
their clients 
where - whenever an infected machine is detected after
logging in, that 
machine is thrown into say a VLAN with instructions on how
to clean 
their machines before they're allowed to go further and stay
online. If 
you ask me, traffic providers (NSP's/NAP's) and ISP's don't
mind this 
garbage coming out of their networks, if they did they'd
actually ban 
together and do something about it. Its obvious those
charging for 
traffic will say little. Minimized traffic means minimized
revenue. All 
I see is "No we despise that kind of traffic"
along with a shrug and 
nothing being done about it. I'm sure if some legislative
body somewhere 
started levying fines against providers, the net would be a
cleaner 
place. For comments on 100 million infected machines...
Doubtable. 
Anyone can play fuzzy math games, heck I just strangely
figured out that 
MS is costing me an arm and a leg!
http://www.merit.edu/mail.archives/nanog/msg04755.html





-- 
====================================================
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=get&s
earch=0x1383A743
sil . infiltrated  net http://www.infiltrated.net

The happiness of society is the end of government.
John Adams

On Fri, 16 Feb 2007, J. Oquendo wrote:
> After all these years, I'm still surprised a consortium
of ISP's haven't
> figured out a way to do something a-la Packet Fence for
their clients
> where - whenever an infected machine is detected after
logging in, that
> machine is thrown into say a VLAN with instructions on
how to clean
> their machines before they're allowed to go further and
stay online.

All very nice. This sort of things has been detailed a few
dozen times by
various people. Doing this is not hard from a technical
point of view
(which isn't to say it won't cost a lot of money to
impliment).

The hard bit is creating a business case to show how
spending the money to
impliment it and then wearing the cost of pissed off
customers results in
a net gain to the bottom line.

If someone could actually do a survey to show how much each
bot infested
customer is costing their ISP then people might be able to
do something.
Right now AFAIK an extra 10,000 botted customers costs the
average ISP no
more than a dozen heavy p2p users.

On the other hand Port 25 filtering probably is something
that has low
enough negatives vs the positives for people to actually
do.

-- 
Simon J. Lyall  |  Very Busy  |  Web: http://www.darkmere.gen.n
z/
"To stay awake all night adds a day to your life"
- Stilgar | eMT.

On Fri, 16 Feb 2007, J. Oquendo wrote:
> michael.dillonbt.com wrote:
> >
> > You misunderstand. The problem of securing
machines *IS* solved. It is
> > possible. It is regularly done with servers
connected to the Internet.
> > There is no *COMPUTING* problem or technical
problem.
> > The problem of the 100 million machines is a
social or business problem.
> > We know how they can be secured, but the solution
is not being
> > implemented.
> >
> > --Michael Dillon
> >   
> 
> After all these years, I'm still surprised a consortium
of ISP's haven't 
> figured out a way to do something a-la Packet Fence for
their clients 

A walled garden? Surprisingly, despite little faith on
NANOG, quite a few
ISPs are now employing these technologies and saving money.

	Gadi.

> where - whenever an infected machine is detected after
logging in, that 
> machine is thrown into say a VLAN with instructions on
how to clean 
> their machines before they're allowed to go further and
stay online. If 
> you ask me, traffic providers (NSP's/NAP's) and ISP's
don't mind this 
> garbage coming out of their networks, if they did
they'd actually ban 
> together and do something about it. Its obvious those
charging for 
> traffic will say little. Minimized traffic means
minimized revenue. All 
> I see is "No we despise that kind of traffic"
along with a shrug and 
> nothing being done about it. I'm sure if some
legislative body somewhere 
> started levying fines against providers, the net would
be a cleaner 
> place. For comments on 100 million infected machines...
Doubtable. 
> Anyone can play fuzzy math games, heck I just strangely
figured out that 
> MS is costing me an arm and a leg!
> http://www.merit.edu/mail.archives/nanog/msg04755.html

> 
> 
> 
> 
> -- 
> ====================================================
> J. Oquendo
> http://pgp.mit.edu:11371/pks/lookup?op=get&s
earch=0x1383A743
> sil . infiltrated  net http://www.infiltrated.net

> The happiness of society is the end of government.
> John Adams
> 
> 

J. Oquendo wrote:
>
> After all these years, I'm still surprised a consortium
of ISP's 
> haven't figured out a way to do something a-la Packet
Fence for their 
> clients where - whenever an infected machine is
detected after logging 
> in, that machine is thrown into say a VLAN with
instructions on how to 
> clean their machines before they're allowed to go
further and stay 
> online.
This has been commercially available for quite some time so
it would be 
only up to the providers to implement it.

Pete

>
>

On Sat, 17 Feb 2007, Petri Helenius wrote:
>> After all these years, I'm still surprised a
consortium of ISP's haven't 
>> figured out a way to do something a-la Packet Fence
for their clients where 
>> - whenever an infected machine is detected after
logging in, that machine 
>> is thrown into say a VLAN with instructions on how
to clean their machines 
>> before they're allowed to go further and stay
online.
> This has been commercially available for quite some
time so it would be only 
> up to the providers to implement it.

Public ISPs have been testing these types of systems for
over 5 years. 
What sorts of differences can you think of that would
explain why public
ISPs have found them not very effective?

Public ISPs have been using walled gardens for a long time
for user 
registration and collecting credit card information.  So
they know how to
implement walled gardens.  But what happens when public ISPs
use it for 
infected machines?

On Feb 16, 2007, at 11:41 AM, J. Oquendo wrote:
>
> After all these years, I'm still surprised a consortium
of ISP's  
> haven't figured out a way to do something a-la Packet
Fence for  
> their clients where - whenever an infected machine is
detected  
> after logging in, that machine is thrown into say a
VLAN with  
> instructions on how to clean their machines before
they're allowed  
> to go further and stay online.

"Umm, Mam, I'm sorry, but before you make that
emergency
call we'll need to go to www.update.nnn and update the OS
on your machine, seems you've got some malware there at
home somewhere and you're going to need to take care of
it for me, OK?"

"Sir, before you can continue watching the World Cup or
Super
Bowl you'll need to remove the spyware from your son's
PC."

> If you ask me, traffic providers (NSP's/NAP's) and
ISP's don't mind  
> this garbage coming out of their networks, if they did
they'd  
> actually ban together and do something about it.

> Its obvious those charging for traffic will say little.
Minimized  
> traffic means minimized revenue.

IIRC, most North America providers have fixed-rate broadband
subscriber
plans.

> All I see is "No we despise that kind of
traffic" along with a  
> shrug and nothing being done about it. I'm sure if some
legislative  
> body somewhere started levying fines against providers,
the net  
> would be a cleaner place. For comments on 100 million
infected  
> machines... Doubtable. Anyone can play fuzzy math
games, heck I  
> just strangely figured out that MS is costing me an arm
and a leg!

While I understand your frustration, lest we not forget,
providers  
are in
the business of making money, and solutions of this type
today only add
to churn, additional operational expense and liability. 
It's not  
quite so
black and white as you make it, unfortunately.

With that, as Sean points out, providers are trying to
address the  
issues
in an business-savvy manner and some do seem to have
reasonable (IMO)
solutions underway.  But be careful what you ask for, some
of these
solutions you're mandating might very well resemble
SiteFinder-style
schema's (or far worse) in order to justify the investment
by the  
providers.

-danny