[AusNOG] Telstra manipulating DNS to block botnets

Mark Andrews marka at isc.org
Sun Jun 17 15:39:47 EST 2012 

In message <CALxh8x9sC8mDYDUKb9DEPreXdCDOH5dXQc7huQqqhLUHHyun5A at mail.gmail.com>
, Roland Chan writes:
> 
> The problem with that approach is the potential for a customer to be
> permanently stuck in quarantine because they lack the knowledge to clean
> their computer.
> 
> I don't think that is an acceptable outcome, at least not while they're
> paying for service.

There are hundreds of places where people can take their machines to be
fixed.

If you have a un-roadworth car you get it fixed before you go back
on the road.  As the owner of the car it is your responsability to
get it fixed either by doing the repairs yourself or paying someone
to do it for you.  It is a implicit part of owning a car.

The same should apply to compromised machines.  You do the work
yourself or you pay someone to do it for you.  Can you tell me
anyone who buys a machine these days that is not aware that machines
get compromised?  About the only thing that may not be aware of is
that they should be fixing their machines when they get compromised
and yes that may be a additional cost.

Mark

> On Jun 15, 2012 8:36 PM, "Anand Kumria" <akumria at acm.org> wrote:
> 
> > Until, of course, we have client side apps which check the DNSSEC
> > trust bits. And then the whole approach is doomed.
> >
> > It'll happen sooner than you expect (is already happening with SSH for
> > example).
> >
> > I'm with Mark. If you have a customer you suspect of infection, rather
> > than allowing them to continue using the Internet - quarantine them.
> >
> > It'll result in a short-term spike in support calls, but by doing it
> > on an exchange by exchange basis initially.
> >
> > You ought to be able to control the resultant incoming calls.
> >
> > Anand
> >
> > On 15 June 2012 11:53, Barrie Hall <barrie at mypond.net> wrote:
> > >
> > >
> > >>
> > >> > Managing and ensuring the quality and timeliness of the poisoning da=
> ta
> > >> > is
> > >> > the *big issue* with this technology but we are seeing very good
> > results
> > >> > now.
> > >> >
> > >> > Barrie
> > >>
> > >> It'd be interesting to know what your customers think of this
> > >> "intervention". Do they welcome that their ISP has detected a problem
> > >> and wants to help them or is it viewed as an unwelcome impost?
> > >>
> > >> It's a difficult situation that I don't envy. You're trying to solve a
> > >> problem you didn't create, you're trying to do the right thing for
> > >> your customers, your network and the general good, but the consumer
> > >> probably sees it as an inconvenience and a possible cost.
> > >>
> > >> I imagine the "messaging" has a lot to do with the consumer
> > >> response.
> > >>
> > >> If I mis-remember, Earthlink used to be pretty pro-active like this
> > >> and did a pretty good messaging job in the email space: here's one
> > >> example
> > >>
> > http://support.earthlink.net/articles/email/email-blocked-by-earthlink.ph=
> p
> > >>
> > >>
> > >
> > > Mark,
> > >
> > > My views are my own on this email list so I can't get into what Telstra
> > is
> > > and isn't doing. I will say that I am happy to discuss the value of DNS
> > > "purity" vs using DNS to solve some nasty problems we face every day.
> > >
> > > DNS is a valuable "control plane" which allows ISP's to deliver a bette=
> r
> > > service with some tweaking. It is public knowledge that a number of ISP=
> 's
> > > are using DNS to suppress access to "the worst of the worst" child
> > > exploitation material on the Internet. I don't think that there is any
> > doubt
> > > that this has been a success.
> > >
> > > Using DNS to surpress Botnets seems to me to be a "no brainer".
> > >
> > > Barrie
> > >
> > >
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > AusNOG mailing list
> > > AusNOG at lists.ausnog.net
> > > http://lists.ausnog.net/mailman/listinfo/ausnog
> > >
> >
> >
> >
> > --
> > =93Don=92t be sad because it=92s over. Smile because it happened.=94 =96 =
> Dr. Seuss
> > _______________________________________________
> > AusNOG mailing list
> > AusNOG at lists.ausnog.net
> > http://lists.ausnog.net/mailman/listinfo/ausnog
> >
> 
> --14dae9340921c6623904c28da6a4
> Content-Type: text/html; charset=windows-1252
> Content-Transfer-Encoding: quoted-printable
> 
> <p>The problem with that approach is the potential for a customer to be per=
> manently stuck in quarantine because they lack the knowledge to clean their=
>  computer. </p>
> <p>I don't think that is an acceptable outcome, at least not while they=
> 're paying for service. </p>
> <div class=3D"gmail_quote">On Jun 15, 2012 8:36 PM, "Anand Kumria&quot=
> ; <<a href=3D"mailto:akumria at acm.org">akumria at acm.org</a>> wrote:<br =
> type=3D"attribution"><blockquote class=3D"gmail_quote" style=3D"margin:0 0 =
> 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
> Until, of course, we have client side apps which check the DNSSEC<br>
> trust bits. And then the whole approach is doomed.<br>
> <br>
> It'll happen sooner than you expect (is already happening with SSH for =
> example).<br>
> <br>
> I'm with Mark. If you have a customer you suspect of infection, rather<=
> br>
> than allowing them to continue using the Internet - quarantine them.<br>
> <br>
> It'll result in a short-term spike in support calls, but by doing it<br=
> >
> on an exchange by exchange basis initially.<br>
> <br>
> You ought to be able to control the resultant incoming calls.<br>
> <br>
> Anand<br>
> <br>
> On 15 June 2012 11:53, Barrie Hall <<a href=3D"mailto:barrie at mypond.net"=
> >barrie at mypond.net</a>> wrote:<br>
> ><br>
> ><br>
> >><br>
> >> > Managing and ensuring the quality and timeliness of the poiso=
> ning data<br>
> >> > is<br>
> >> > the *big issue* with this technology but we are seeing very g=
> ood results<br>
> >> > now.<br>
> >> ><br>
> >> > Barrie<br>
> >><br>
> >> It'd be interesting to know what your customers think of this<=
> br>
> >> "intervention". Do they welcome that their ISP has detec=
> ted a problem<br>
> >> and wants to help them or is it viewed as an unwelcome impost?<br>
> >><br>
> >> It's a difficult situation that I don't envy. You're t=
> rying to solve a<br>
> >> problem you didn't create, you're trying to do the right t=
> hing for<br>
> >> your customers, your network and the general good, but the consume=
> r<br>
> >> probably sees it as an inconvenience and a possible cost.<br>
> >><br>
> >> I imagine the "messaging" has a lot to do with the consu=
> mer<br>
> >> response.<br>
> >><br>
> >> If I mis-remember, Earthlink used to be pretty pro-active like thi=
> s<br>
> >> and did a pretty good messaging job in the email space: here's=
>  one<br>
> >> example<br>
> >> <a href=3D"http://support.earthlink.net/articles/email/email-block=
> ed-by-earthlink.php" target=3D"_blank">http://support.earthlink.net/article=
> s/email/email-blocked-by-earthlink.php</a><br>
> >><br>
> >><br>
> ><br>
> > Mark,<br>
> ><br>
> > My views are my own on this email list so I can't get into what Te=
> lstra is<br>
> > and isn't doing. I will say that I am happy to discuss the value o=
> f DNS<br>
> > "purity" vs using DNS to solve some nasty problems we face e=
> very day.<br>
> ><br>
> > DNS is a valuable "control plane" which allows ISP's to =
> deliver a better<br>
> > service with some tweaking. It is public knowledge that a number of IS=
> P's<br>
> > are using DNS to suppress access to "the worst of the worst"=
>  child<br>
> > exploitation material on the Internet. I don't think that there is=
>  any doubt<br>
> > that this has been a success.<br>
> ><br>
> > Using DNS to surpress Botnets seems to me to be a "no brainer&quo=
> t;.<br>
> ><br>
> > Barrie<br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> ><br>
> > _______________________________________________<br>
> > AusNOG mailing list<br>
> > <a href=3D"mailto:AusNOG at lists.ausnog.net">AusNOG at lists.ausnog.net</a>=
> <br>
> > <a href=3D"http://lists.ausnog.net/mailman/listinfo/ausnog" target=3D"=
> _blank">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
> ><br>
> <br>
> <br>
> <br>
> --<br>
> =93Don=92t be sad because it=92s over. Smile because it happened.=94 =96 Dr=
> . Seuss<br>
> _______________________________________________<br>
> AusNOG mailing list<br>
> <a href=3D"mailto:AusNOG at lists.ausnog.net">AusNOG at lists.ausnog.net</a><br>
> <a href=3D"http://lists.ausnog.net/mailman/listinfo/ausnog" target=3D"_blan=
> k">http://lists.ausnog.net/mailman/listinfo/ausnog</a><br>
> </blockquote></div>
> 
> --14dae9340921c6623904c28da6a4--
> 
> --===============1099887076636401106==
> Content-Type: text/plain; charset="us-ascii"
> MIME-Version: 1.0
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
> 
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
> 
> --===============1099887076636401106==--
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the AusNOG mailing list