Ahh, but this is what is being asked for according to the recent SANS mailings, folks what the core providers to be more active and take more responsibility for -=their=- clients. How better to police and block those under their domain? Thanks, Ron DuFresne On Thu, 6 Sep 2001, Gert-Jan Hagenaars wrote: > Apparently, Stanley G. Bubrouski wrote: > % On Thu, 6 Sep 2001, Emre Yildirim wrote: > % > % It may sound unreasonable but using access-lists on routers on routers is > % great way for companies and providers to stop the spread of Code Red. By > % blockign all traffic from a person's machine they are then forced to call > % their provider's tech support to report they lost their connection. The > % provider then can inform the customer they are infected, explain to them > % they must patch their system, remove them from the ACLs, wait 24 hours and > % if they show signs they are patched then do not reapply the ACL. > > This doesn't work on machines that connect via DHCP. > > The whole notion of using manhours to combat a DOS attack is an out of > date idea. Besides, you're turning the problem into a problem for > the ISPs. Which (essentially) means that you're turning the ISPs into > internet-cops. > > I see four distinct problems with this approach: on one server we got > about 1200 distinct hits of code-red in 24 hours. > > (first problem) How many thousands of emails do I have to send in a > week to get through to the ISPs, and > > (second problem) who's going to handle all these requests in a timely > manner and > > (third problem) judge the validity of my claims? And, > > (fourth problem) who's going to pick up the bill for calling all these > customers? > > Consider the cost of a support call when a customer calls an ISP (CDN > 7 about four years ago (when I worked for an ISP), very likely higher > now), and that's when you don't have to spend time finding out which > number to call, nor having to find the right person at the other end of > the phone ("my son always takes care of this stuff, but I can't get to > yahoo and i'm paying you guys for my internet connection!") > > If your proposed approach worked, we wouldn't have any SPAM either. > And that's an area where (most) ISPs _want_ to battle this. > > I think a passive inoculation (worm) that doesn't seek out victims, but > only counters infected systems (where the admins (if they exist) don't > care) is a far better approach. It's certainly more cost effective, > definitely quicker and obviously less prone to error. > > So... where's the linux version? > > CHeers, > Gert-Jan. > > -- > +++++++++++++ -------- +++++ --- ++ - +0+ + ++ +++ +++++ ++++++++ +++++++++++++ > sed '/^[when][coders]/!d G.J.W. Hagenaars -- gj at hagenaars dot com > /^...[discover].$/d Remembering Mike Carty 1968-1994 > /^..[real].[code]$/!d UltrixIrixAIXHPUXSunOSLinuxBSD, nothing but nix > ' /usr/dict/words I'm Dutch, what's _your_ excuse? > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything.
This archive was generated by hypermail 2b30 : Fri Sep 07 2001 - 10:14:13 PDT