[AusNOG] Analysis of the Carna Botnet (Internet Census 2012)

Mark Smith markzzzsmith at yahoo.com.au
Thu May 30 07:34:30 EST 2013





----- Original Message -----
> From: Heinz N <ausnog at equisoft.com.au>
> To: ausnog at lists.ausnog.net
> Cc: 
> Sent: Wednesday, 29 May 2013 5:23 PM
> Subject: Re: [AusNOG] Analysis of the Carna Botnet (Internet Census 2012)
> 
>>  The least of all evils is that the carriers block ingress TCP:22/23 unless 
>>  otherwise specified while they work with the user base to clean things up. 
>>  Internode do something along these lines where by default a bunch of 
>>  known-bad ports are blocked and users can unblock them via web UI where 
>>  required.
> 
> I would also block 80, 8080 & 443 .... it is shocking just how many 
> devices have admin interfaces on the WAN. Not even mentioning the special 
> packets that can game some devices. There are some devices with absolutely 
> horrendous hardware sploits that cannot be blocked. I would want to know 
> if I had one of those. It would go into the bin immediately.
> 

You need to be very careful about doing this sort of thing. Once you start blocking ports by default, there is a risk that non-technical people (press, politicians, anti-pirating groups, LEAs) think ISPs can and should to a lot more, and be responsible when those measures aren't effective. Given how easily the NBN is confused for faster Internets, I think this is a considerable risk.

I chose the list of ports that Internode block for IPv6 (derived from the IPv4 one). I'm still think there are some drawbacks with the idea. Because it is preventing the Internet attacking a subset of customers, they suffer no consequences and consequently don't have an incentive to fix them or get somebody to help fix them. The other drawback is that one day the ACL might not be applied correctly or might not be updated correctly due to human error. All of a sudden there will be many targets available to attack, where as if the ACL hadn't been there, and people suffered consequences, there would have been piecemeal correcting of them over time. In other words, the attack service will be smaller through constant small attack and response. Completely protecting people from consequences rarely causes them to actively take measures to mitigate them - in part because they may not be aware there is a problem at all.

I am generally OK with what Internode has done because they provided from day one the ability for customers to switch it off.

I also think there is a fundamental question of what you are selling. If it is "the Internet", then the Internet is a layer network that forwards layer 3 packets between the hosts at the edge, and it is up to the operators of the hosts (end-users, customers, content providers etc.) to choose what to run over the top of it. If you start blocking ports, you're getting into their applications, and then it isn't the Internet any more, it is a network that can supports a subset of the applications the Internet can support, and you're taking choices about what applications to use it for out of the end-users'/customers' hands.



Regards,
Mark.



More information about the AusNOG mailing list