[AusNOG] Telstra manipulating DNS to block botnets

Damien Gardner Jnr rendrag at rendrag.net
Tue Jun 19 06:59:29 EST 2012


Oh, and I should have pointed out earlier..  This 'quarantining' will 
still need to allow the customer to still use things like remote 
desktop, teamveiwer, logmein, etc to contact their regular remote support..

I don't know about the others here, but my parents' first point of tech 
support is usually myself, not one of the 'hundreds' of local computer 
stores (I've tried getting them to go to the local computer store 
first.. But that just resulted in every issue becoming a reinstall of 
windows. And was completely useless..).  I can only imagine the hell my 
mother would let lose on the poor fellow on the Bigpond helpdesk (and 
about 5 minutes later, her local MP, who does take her calls..) who 
tried to tell her 'Sorry, you have a virus, we have disconnected you 
from the internet until you fix it. No, we can't let you have enough 
internet access for your son to fix it remotely'.

For that matter, same would go for quite a few of our remote-support 
customers as well - except then you're not dealing with a pensioner on a 
rampage, you're dealing with a business owner screaming 'loss of 
income!'.  Or does this quarantining still allow the customer to 
send/receive emails etc?

Don't get me wrong, I appreciate the idea of trying to help customers, 
and reduce the amount of infections, etc - it just seems like it's going 
to cause more problems than it's worth..?

--DG

On 18/06/2012 9:51 PM, Roland Chan wrote:
>
> I think you have to quarantine the entire connection, at least until 
> v6 becomes the default and you get to look behind the gateway.
>
> I'd like to talk about regular servicing meaning that tread problems 
> are predictable, whereas infection is not,  but I think that analogy 
> has finally shuffled off to rhetorical device heaven.
>
> We could ask an AV Vendor to provide useful stats on AV efficacy but I 
> suspect it might undermine their marketing. In the last year  I've 
> seen a nonrepresentative sample of people get done while their 
> security subscriptions are valid. (Hi mum!)
>
> Sorry for the top replies. Anything else is too hard on a phone.
>
> On Jun 18, 2012 8:27 AM, "Mark Andrews" <marka at isc.org 
> <mailto:marka at isc.org>> wrote:
>
>
>     In message
>     <CALxh8x88V+KmZYayyNETKuwy977MFQcP=TqYz-rsaXRJKZuv=g at mail.gmail.com <mailto:g at mail.gmail.com>>
>     , Roland Chan writes:
>     > I'd go further than that. The analogy is flawed in many ways,
>     but the
>     > 2 most salient are:
>     >
>     > - Roadworthiness is not an implicit part of owning a car (at
>     least not
>     > one that's driven on public roads). It's an explicit requirement of
>     > operating a vehicle mandated by law. No such corresponding thing
>     > exists for computers, and given the current state of technology I
>     > believe it would impossible to define and enforce.
>     > - Roadworthiness is the ability of the vehicle to perform when
>     > operated lawfully, and says nothing about the ability of the vehicle
>     > to perform when under attack or used as a weapon. Up to date
>     security
>     > measures on a computer do not provide anywhere near as much
>     confidence
>     > about the protection from compromise as a roadworthiness certificate
>     > does for mechanical reliability of a car.
>
>     This is more like, you have been pulled over for bald tires.  There
>     are obvious signs that you are infected and you are being pulled
>     off the net for everyone elses saftey.
>
>     > I'll torture the analogy a bit further though: imagine losing your
>     > licence because your car was stolen and used in an armed robbery.
>     > Flawed again, but I couldn't help myself. I hate analogies and
>     > torturing them gives me pleasure. ;)
>
>     And is pointless in this case because you are not being told you
>     can't use any computers.  You are just being told you can't use
>     particular computers until you get them fixed.
>
>     > I do agree with Damien that a service provider that does not have
>     > explicit T&Cs dealing with this scenario may well end up in trouble,
>     > and a provider that does have these T&Cs will have a significant
>     > customer service issues that will generate immense cost to the
>     > business, to say nothing of the reputational impact.
>
>     You do it well you will get a positive reputation.
>
>     > I don't agree that we're talking about a short term support cost
>     spike
>     > either. Users will be repeatedly compromised, quarantined and
>     calling
>     > in for support.
>
>     > Quarantine is painful for the customer and the provider, and
>     does not
>     > deliver sufficient long term benefit to the user, the provider
>     or the
>     > Internet at large to balance the cost, at least in my opinion.
>
>     Tell that to those that are suffering DDoS and other attacks from
>     compromised machines.
>
>     > If
>     > there were cheap, reliable and easily deployable measures a user
>     could
>     > take to secure their computers in the long term I would probably
>     think
>     > differently. Until then, I'm happy with mucking about with DNS
>     to take
>     > a chunk out of the problem (Disclosure: I used to lead the group
>     that
>     > designed all the stuff in the BigPond network that Barrie's been
>     > talking about, including the Interpol filtering).
>
>     This will always be a catchup game but if you get the systems
>     upgraded to have the latest fixes you reduce the number of machines
>     that can get infected and be used to attack others before the C&C
>     machines are discovered.
>
>     What percentage of these machines are infected via known and fixed
>     vulnerablities and what are infected by yet to be fixed
>     vulnerabilities.
>
>     Mark
>     --
>     Mark Andrews, ISC
>     1 Seymour St., Dundas Valley, NSW 2117, Australia
>     PHONE: +61 2 9871 4742 <tel:%2B61%202%209871%204742>              
>       INTERNET: marka at isc.org <mailto:marka at isc.org>
>


-- 
Damien Gardner Jnr
VK2TDG. Dip EE. GradIEAust
rendrag at rendrag.net - http://www.rendrag.net/
--
We rode on the winds of the rising storm,
  We ran to the sounds of thunder.
We danced among the lightning bolts,
  and tore the world asunder

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20120619/cd3658cc/attachment.html>


More information about the AusNOG mailing list