[AusNOG] Telstra manipulating DNS to block botnets

Roland Chan roland at chan.id.au
Mon Jun 18 21:51:47 EST 2012


I think you have to quarantine the entire connection, at least until v6
becomes the default and you get to look behind the gateway.

I'd like to talk about regular servicing meaning that tread problems are
predictable, whereas infection is not,  but I think that analogy has
finally shuffled off to rhetorical device heaven.

We could ask an AV Vendor to provide useful stats on AV efficacy but I
suspect it might undermine their marketing. In the last year  I've seen a
nonrepresentative sample of people get done while their security
subscriptions are valid. (Hi mum!)

Sorry for the top replies. Anything else is too hard on a phone.
On Jun 18, 2012 8:27 AM, "Mark Andrews" <marka at isc.org> wrote:

>
> In message <CALxh8x88V+KmZYayyNETKuwy977MFQcP=TqYz-rsaXRJKZuv=
> g at mail.gmail.com>
> , Roland Chan writes:
> > I'd go further than that. The analogy is flawed in many ways, but the
> > 2 most salient are:
> >
> > - Roadworthiness is not an implicit part of owning a car (at least not
> > one that's driven on public roads). It's an explicit requirement of
> > operating a vehicle mandated by law. No such corresponding thing
> > exists for computers, and given the current state of technology I
> > believe it would impossible to define and enforce.
> > - Roadworthiness is the ability of the vehicle to perform when
> > operated lawfully, and says nothing about the ability of the vehicle
> > to perform when under attack or used as a weapon. Up to date security
> > measures on a computer do not provide anywhere near as much confidence
> > about the protection from compromise as a roadworthiness certificate
> > does for mechanical reliability of a car.
>
> This is more like, you have been pulled over for bald tires.  There
> are obvious signs that you are infected and you are being pulled
> off the net for everyone elses saftey.
>
> > I'll torture the analogy a bit further though: imagine losing your
> > licence because your car was stolen and used in an armed robbery.
> > Flawed again, but I couldn't help myself. I hate analogies and
> > torturing them gives me pleasure. ;)
>
> And is pointless in this case because you are not being told you
> can't use any computers.  You are just being told you can't use
> particular computers until you get them fixed.
>
> > I do agree with Damien that a service provider that does not have
> > explicit T&Cs dealing with this scenario may well end up in trouble,
> > and a provider that does have these T&Cs will have a significant
> > customer service issues that will generate immense cost to the
> > business, to say nothing of the reputational impact.
>
> You do it well you will get a positive reputation.
>
> > I don't agree that we're talking about a short term support cost spike
> > either. Users will be repeatedly compromised, quarantined and calling
> > in for support.
>
> > Quarantine is painful for the customer and the provider, and does not
> > deliver sufficient long term benefit to the user, the provider or the
> > Internet at large to balance the cost, at least in my opinion.
>
> Tell that to those that are suffering DDoS and other attacks from
> compromised machines.
>
> > If
> > there were cheap, reliable and easily deployable measures a user could
> > take to secure their computers in the long term I would probably think
> > differently. Until then, I'm happy with mucking about with DNS to take
> > a chunk out of the problem (Disclosure: I used to lead the group that
> > designed all the stuff in the BigPond network that Barrie's been
> > talking about, including the Interpol filtering).
>
> This will always be a catchup game but if you get the systems
> upgraded to have the latest fixes you reduce the number of machines
> that can get infected and be used to attack others before the C&C
> machines are discovered.
>
> What percentage of these machines are infected via known and fixed
> vulnerablities and what are infected by yet to be fixed vulnerabilities.
>
> Mark
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20120618/2279e036/attachment.html>


More information about the AusNOG mailing list