First of all: I'm still talking about a passive inoculation program, one
that only shuts up an attacking machine. I'm NOT talking about a worm
that goes rampant in patching "potential" victims.
Apparently, Stanley G. Bubrouski wrote:
%
% On Thu, 6 Sep 2001, Gert-Jan Hagenaars wrote:
%
% > Apparently, Stanley G. Bubrouski wrote:
% > % On Thu, 6 Sep 2001, Emre Yildirim wrote:
% > %
% > % It may sound unreasonable but using access-lists on routers on routers is
% > % great way for companies and providers to stop the spread of Code Red. By
% > % blockign all traffic from a person's machine they are then forced to call
% > % their provider's tech support to report they lost their connection. The
% > % provider then can inform the customer they are infected, explain to them
% > % they must patch their system, remove them from the ACLs, wait 24 hours and
% > % if they show signs they are patched then do not reapply the ACL.
% >
% > This doesn't work on machines that connect via DHCP.
%
% With access-lists you can compare them to RADIUS for dial-up users and see
% who they are and call them. Think before you speak.
You miss my point. An infected machine's connected to the internet and
gets a DHCP assigned IP address. The machine attacks my server. I parse
my logs and find their ISP, I whois the ISP and get contact information,
then I send them my logs (this I can automate). They take my logs,
convert to the right timezone (manual process), and hope that I'm using a
timeserver (and trust I'm not making up IP addresses). They parse my logs
so that they're in a standard format for them. They dig through their
access logs to find the user, they dig through their billing server to
find the phone number, they provide the attack logs, the dialup logs,
the user name and contact information to their dialup support team.
Then they have to disable the account. You cannot work with ACLs here,
because in another couple of hours, that infected machine is sitting
at another IP address. And a valid user is sitting at the blocked IP.
This is a support nightmare.
You may also be unaware of how ISPs have set up their departments.
Network Operations People are _not_ there to explain to users how to
patch their systems, and the Technical Support people are _not_ allowed
to update ACL lists in routers (if you think about it, the reasons for
that are obvious, specifically if you consider that Technical Support
is often outsourced to another company).
There's way too much manual labour involved in your solution, it doesn't
scale. I'm happy for you that you live in an environment where you can
take care of all aspects of your network and your users. But you're
making assumptions that what works in your environment will work in a
larger environment.
% > The whole notion of using manhours to combat a DOS attack is an out of
% > date idea. Besides, you're turning the problem into a problem for
% > the ISPs. Which (essentially) means that you're turning the ISPs into
% > internet-cops.
%
% If an ISPs customer is causing traffic and infecting otehr customers what
% would you expect the ISP to do? Take a long lunch break and ignore the
% problem?
I would expect the ISP to be concerned and willing to fix the problem.
My point (that you're refusing to acknowledge) is that we're not
talking about "an ISPs customer", we're talking about "thousands of
ISPs customers". There is no way that you'll see a quick response.
Even if the ISP would be willing to hire another hundred people to do
nothing but deal with this problem, the rampup time would be weeks.
% > I see four distinct problems with this approach: on one server we got
% > about 1200 distinct hits of code-red in 24 hours.
% >
% > (first problem) How many thousands of emails do I have to send in a
% > week to get through to the ISPs, and
% >
% > (second problem) who's going to handle all these requests in a timely
% > manner and
% >
% > (third problem) judge the validity of my claims? And,
% >
% > (fourth problem) who's going to pick up the bill for calling all these
% > customers?
%
% And who are you to claim infecting unknowing people wit hanotehr virus is
% any way to solve teh problem.
I'm someone who has worked for a reasonable sized ISP, and I know the
type of people who own the infected boxes at this point, and I have a
pretty good idea of what their technical skills are, and I am very much
aware of the amount of effort involved in talking to these people to
get them to do something. I'm also aware of the cost of manual labour,
and I'm aware of the speed of manual labour. I'm also aware of how
loaded core routers are and the impact of ACLs on them.
% I mean someone brought up an interestng
% point about CodeGreen, does it actually stop once a machien is fixed or
% just keep infecting other machines?
See the point I made at the top of my mail, and in several other places
in my mail (and in my previous mail), it should be an inoculation program
that shuts up any attacks aimed at it. It should not be a program that
goes out to probe on its own. It should only patch an attacker.
% > Consider the cost of a support call when a customer calls an ISP (CDN
% > 7 about four years ago (when I worked for an ISP), very likely higher
% > now), and that's when you don't have to spend time finding out which
% > number to call, nor having to find the right person at the other end of
% > the phone ("my son always takes care of this stuff, but I can't get to
% > yahoo and i'm paying you guys for my internet connection!")
%
% A lack of social/people skills is not justification for using a virus.
How about a lack of computer skills? Have you ever _talked_ to an
average user? Have a look for this in your favourite search engine:
"stupid computer users".
% > If your proposed approach worked, we wouldn't have any SPAM either.
% > And that's an area where (most) ISPs _want_ to battle this.
%
% My approach works, I have been using for a month in a corporate network
% and the for the dial-up users on the road. They call in, they are
% informed of the problem, they are sent the fixes, they install them, all
% done.
Your approach works for you because you're in a very small environment,
but it still doesn't scale. Before you answer this, do a lookup on this
in your favourite search engine: "order of magnitude".
% > I think a passive inoculation (worm) that doesn't seek out victims, but
% > only counters infected systems (where the admins (if they exist) don't
% > care) is a far better approach. It's certainly more cost effective,
% > definitely quicker and obviously less prone to error.
%
% LESS PRONE TO ERROR? HELLO? First of all CodeGreen does seek out victims
% via scanning, second with human interaction if there are problems they can
% be worked out in real time.
I'll state this once more: the inoculation program should not seek
out victims. It should PATCH AN ATTACKER, and turn that attacker in a
passive inoculator as well.
Think about the effort involved in finding only 1000 administrators of
machines. How many people do you need for your human interaction project?
% What if CodeGreen doesn't patch a system say
% in eh Ukraine? And what if that system fails as a result of the so-called
% "good" worm, what? What if that machien going down costs a company
% thousands of dollars and they are stuck trying to figure out why their
% system failed?
Ah, but they wouldn't know, now would they: they didn't know they were
infected in the first place, and / or didn't care to fix it.
You're thinking that someone is actually administering the box.
My argument is that nobody is administering the box. If it's
administered, it's already patched.
CHeers,
Gert-Jan.
--
+++++++++++++ -------- +++++ --- ++ - +0+ + ++ +++ +++++ ++++++++ +++++++++++++
sed '/^[when][coders]/!d G.J.W. Hagenaars -- gj at hagenaars dot com
/^...[discover].$/d Remembering Mike Carty 1968-1994
/^..[real].[code]$/!d UltrixIrixAIXHPUXSunOSLinuxBSD, nothing but nix
' /usr/dict/words I'm Dutch, what's _your_ excuse?
This archive was generated by hypermail 2b30 : Fri Sep 07 2001 - 11:40:36 PDT