[AusNOG] NBN must avoid becoming 'failed state'

Vitaly Osipov vitaly.osipov at gmail.com
Wed Sep 22 08:18:39 EST 2010


On 21/09/10 7:25 PM, "Roland Chan" <roland at chan.id.au> wrote:

> their PCs get owned and conficker's ability to operate can be
> significantly reduced by measures taken in the network. To the extent
> that malicious software can reverse engineered, we can continue to
> disrupt the botnets if we're willing.

(Willing... to fight the last war?)

I am confused now... I was told by the guy who sold me firewalls that they
will definitely stop the "bad stuff". Then when they did not, another guy
sold me IDS and promised me that it will definitely pick up all the badness
that comes through the firewall... Then... Ah nevermind. :)

> Either you're right and noone cares, or I am and your customers will
> suffer more than mine.

I have here a very long, very recent, and much less pedigreed (than
Spafford's) quote from the guy who nevertheless knows what he is talking
about. Substitute your customers vs. my customers or Australia vs. the rest
of the world for the two banks in the scenario.

http://ha.ckers.org/blog/20100904/the-effect-of-snakeoil-security/

"...even the most worthless security tools can be proven to ³work² if you
look at the numbers.  Here¹s how.

Let¹s say hypothetically that you have only two banks in the entire world:
banka.com and bankb.com.  Let¹s say Snakeoil salesman goes up to banka.com
and convinces banka.com to try their product.  Banka.com is thinking that
they are seeing increased fraud (as is the whole industry), and they¹re
willing to try anything for a few months.  Worst case they can always get
rid of it if it doesn¹t do anything.  So they implement Snakeoil into their
site.  The bad guy takes one look at the Snakeoil and shrugs.  Is it worth
bothering to figure out how banka.com security works and potentially having
to modify their code?  Nah, why not just focus on bankb.com double up the
fraud, and continue doing the exact same thing they were doing before?

Suddenly banka.com is free of fraud.  Snakeoil works, they find!  They
happily let the Snakeoil salesman use them as a use case.  So our Snakeoil
salesman goes across the street to bankb.com.  Bankb.com has seen a two fold
increase in fraud over the last few months (all of banka.com¹s fraud plus
their own), strangely and they¹re desperate to do something about it.
Snakeoil salesman is happy to show them how much banka.com has decreased
their fraud just by buying their shoddy product. Bankb.com is desperate so
they say fine and hand over the cash.

Suddenly the bad guy is presented with a problem.  He¹s got to find a way
around this whole Snakeoil software or he¹ll be out of business.  So he
invests a few hours, finds an easy way around it and voila.  Back in
business.  So the bad guy again diversifies his fraud across both banks
again.  Banka.com sees an increase in fraud back to the old days, which
can¹t be correlated to anything having to do with the Snakeoil product.
Bankb.com sees their fraud drop immediately after having installed the
Snakeoil therefore proving that it works twice if you just look at the
numbers.

Meanwhile what has happened?  Are the users safer?  No, and in fact, in some
cases it may even make the users less safe.  Has this stopped the attacker?
Only long enough to work around it.  What¹s the net effect?  The two banks
are now spending money on a product that does nothing but they are now
convinced that it is saving them from huge amounts of fraud.  They have the
numbers to back it up - although the numbers are only half the story.  Now
there¹s less money to spend on real security measures.  Of course, if you
look at it from either bank¹s perspective the product did save them and
they¹ll vehemently disagree that the product doesn¹t work, but it also
created the problem that it solved in the case of bankb.com (double the
fraud)..."

We can implement all sorts of network surveillance, throw Arbor, Sandvine
etc in there, and it will have short term positive effects, and the
customers might even love the results for a (short) while. On the other
hand, it only takes maybe a week of coding and testing to turn any existing
botnet into a headless P2P network completely blending in with Bittorrent,
or start controlling them via Twitter, Facebook etc. There simply was no
need for that just yet, but the POC code is out there.

There is a very high chance we will simply force botnets to evolve, and all
we will be left with is the same (or higher, because of the false sense of
security) level of infestation plus, erm, a capability to map your Google
searches to your name and home address from a nice central location. The
latter is a minor issue, though :)

 
> 
> On Tue, Sep 21, 2010 at 5:28 PM, Vitaly Osipov <vitaly.osipov at gmail.com>
> wrote:
>> IMHO if you ask a non-techie person whether they seriously care about
>> their computer becoming a part of the botnet, they are not too
>> concerned if their data does not get stolen. Your measures do not
>> quite prevent a computer from becoming part of a botnet, although they
>> may help decrease the chance somewhat by filtering TCP traffic from
>> *known* CCs. And they will help with tracking things as well.
>> 
>> Then again, this setup will lead to another round of "flux" - e.g. CCs
>> will start sending cryptosigned commands from spoofed IPs (overseas,
>> outside your antispoofing control) over UDP telling the zombies to
>> submit their info to a temporary IP or a set of IPs etc. Or bounce the
>> data between zombies several times before finally sending it out. And
>> so on. The data will still be stolen, because you will never be able
>> to disconnect the new bots quickly enough. So, the only issue you can
>> solve in reality is DDoS.
>> 
>> Regards,
>> Vitaly
>> 
>> 
>> 
>> 
>> On Tue, Sep 21, 2010 at 4:11 PM, Dobbins, Roland <rdobbins at arbor.net> wrote:
>>> 
>>> On Sep 21, 2010, at 12:59 PM, Vitaly Osipov wrote:
>>> 
>>>> I have not seen the presentation, but judging from the slides it was
>>>> primarily concerned with DDoS prevention.
>>> 
>>> Actually, it was primarily concerned with dealing with bots, period.
>>> 
>>>> 
>>>> Although, to be fair, the slides briefly recommend embedding total L2+
>>>> surveilance into NBN, but I wonder how this recommendation will fly...
>>>> (slides 25 and especially 6 :) ).
>>> 
>>> Not surveillance, visibility for situational awareness.
>>> 
>>>> Besides, no instrumentation of local networks will help against foreign
>>>> attackers.
>>> 
>>> Actually, it does - it allows one to see inbound/outbound/crossbound attack
>>> traffic, botnet command-and-control, et. al.
>>> 
>>> -----------------------------------------------------------------------
>>> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
>>> 
>>>               Sell your computer and buy a guitar.
>>> 
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> AusNOG mailing list
>>> AusNOG at lists.ausnog.net
>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>> 
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>> 





More information about the AusNOG mailing list