[AusNOG] Telstra manipulating DNS to block botnets

Mark Andrews marka at isc.org
Mon Jun 18 08:27:22 EST 2012


In message <CALxh8x88V+KmZYayyNETKuwy977MFQcP=TqYz-rsaXRJKZuv=g at mail.gmail.com>
, Roland Chan writes:
> I'd go further than that. The analogy is flawed in many ways, but the
> 2 most salient are:
> 
> - Roadworthiness is not an implicit part of owning a car (at least not
> one that's driven on public roads). It's an explicit requirement of
> operating a vehicle mandated by law. No such corresponding thing
> exists for computers, and given the current state of technology I
> believe it would impossible to define and enforce.
> - Roadworthiness is the ability of the vehicle to perform when
> operated lawfully, and says nothing about the ability of the vehicle
> to perform when under attack or used as a weapon. Up to date security
> measures on a computer do not provide anywhere near as much confidence
> about the protection from compromise as a roadworthiness certificate
> does for mechanical reliability of a car.

This is more like, you have been pulled over for bald tires.  There
are obvious signs that you are infected and you are being pulled
off the net for everyone elses saftey.

> I'll torture the analogy a bit further though: imagine losing your
> licence because your car was stolen and used in an armed robbery.
> Flawed again, but I couldn't help myself. I hate analogies and
> torturing them gives me pleasure. ;)

And is pointless in this case because you are not being told you
can't use any computers.  You are just being told you can't use
particular computers until you get them fixed.

> I do agree with Damien that a service provider that does not have
> explicit T&Cs dealing with this scenario may well end up in trouble,
> and a provider that does have these T&Cs will have a significant
> customer service issues that will generate immense cost to the
> business, to say nothing of the reputational impact.

You do it well you will get a positive reputation.
 
> I don't agree that we're talking about a short term support cost spike
> either. Users will be repeatedly compromised, quarantined and calling
> in for support.

> Quarantine is painful for the customer and the provider, and does not
> deliver sufficient long term benefit to the user, the provider or the
> Internet at large to balance the cost, at least in my opinion.

Tell that to those that are suffering DDoS and other attacks from
compromised machines.

> If
> there were cheap, reliable and easily deployable measures a user could
> take to secure their computers in the long term I would probably think
> differently. Until then, I'm happy with mucking about with DNS to take
> a chunk out of the problem (Disclosure: I used to lead the group that
> designed all the stuff in the BigPond network that Barrie's been
> talking about, including the Interpol filtering).

This will always be a catchup game but if you get the systems
upgraded to have the latest fixes you reduce the number of machines
that can get infected and be used to attack others before the C&C
machines are discovered.

What percentage of these machines are infected via known and fixed
vulnerablities and what are infected by yet to be fixed vulnerabilities.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the AusNOG mailing list