Ahh, but this is what is being asked for according to the recent SANS
mailings, folks what the core providers to be more active and take more
responsibility for -=their=- clients. How better to police and block
those under their domain?
Thanks,
Ron DuFresne
On Thu, 6 Sep 2001, Gert-Jan Hagenaars wrote:
> Apparently, Stanley G. Bubrouski wrote:
> % On Thu, 6 Sep 2001, Emre Yildirim wrote:
> %
> % It may sound unreasonable but using access-lists on routers on routers is
> % great way for companies and providers to stop the spread of Code Red. By
> % blockign all traffic from a person's machine they are then forced to call
> % their provider's tech support to report they lost their connection. The
> % provider then can inform the customer they are infected, explain to them
> % they must patch their system, remove them from the ACLs, wait 24 hours and
> % if they show signs they are patched then do not reapply the ACL.
>
> This doesn't work on machines that connect via DHCP.
>
> The whole notion of using manhours to combat a DOS attack is an out of
> date idea. Besides, you're turning the problem into a problem for
> the ISPs. Which (essentially) means that you're turning the ISPs into
> internet-cops.
>
> I see four distinct problems with this approach: on one server we got
> about 1200 distinct hits of code-red in 24 hours.
>
> (first problem) How many thousands of emails do I have to send in a
> week to get through to the ISPs, and
>
> (second problem) who's going to handle all these requests in a timely
> manner and
>
> (third problem) judge the validity of my claims? And,
>
> (fourth problem) who's going to pick up the bill for calling all these
> customers?
>
> Consider the cost of a support call when a customer calls an ISP (CDN
> 7 about four years ago (when I worked for an ISP), very likely higher
> now), and that's when you don't have to spend time finding out which
> number to call, nor having to find the right person at the other end of
> the phone ("my son always takes care of this stuff, but I can't get to
> yahoo and i'm paying you guys for my internet connection!")
>
> If your proposed approach worked, we wouldn't have any SPAM either.
> And that's an area where (most) ISPs _want_ to battle this.
>
> I think a passive inoculation (worm) that doesn't seek out victims, but
> only counters infected systems (where the admins (if they exist) don't
> care) is a far better approach. It's certainly more cost effective,
> definitely quicker and obviously less prone to error.
>
> So... where's the linux version?
>
> CHeers,
> Gert-Jan.
>
> --
> +++++++++++++ -------- +++++ --- ++ - +0+ + ++ +++ +++++ ++++++++ +++++++++++++
> sed '/^[when][coders]/!d G.J.W. Hagenaars -- gj at hagenaars dot com
> /^...[discover].$/d Remembering Mike Carty 1968-1994
> /^..[real].[code]$/!d UltrixIrixAIXHPUXSunOSLinuxBSD, nothing but nix
> ' /usr/dict/words I'm Dutch, what's _your_ excuse?
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
This archive was generated by hypermail 2b30 : Fri Sep 07 2001 - 10:14:13 PDT