funsec mailing list archives
Re: dumb. Comcast pop-ups
From: Rich Kulawiec <rsk () gsp org>
Date: Sun, 11 Oct 2009 07:42:38 -0400
On Sat, Oct 10, 2009 at 05:59:40PM -0500, Toralv_Dirro () mcafee com wrote:
And prevent their customers from some activity on the internet that may be extremely urgent and important? As much as I would prefer such an approach personally, I'm afraid this is not a realistic option in the real world.
It is the ONLY acceptable solution. Anything less is incompetent and abusive -- which is why Comcast, for a while, was the world's #1 spammer. I see no reason at all why the entire rest of the Internet should suffer abuse and attacks at the hands of Comcast's, or anyone else's, negligently-operated network. And I'm appalled that *anyone* working in security does not recognize the basic principle that once a system is known-compromised, it must be immediately removed from the network. It's enemy territory as much as if it were physically hosted at the RBN. It no longer belongs, in any real sense, to its putative owner. Nothing it does can be trusted. And it is extraordinarily foolish to believe that it will carry out any task assigned to it by its putative (former) owner, from sending a piece of email to accessing a web site to controlling an external device to making a VOIP call to executing some anti-malware software package. This should be burned into the brain of everyone working in security: If someone else can run arbitrary code on your computer, it's not YOUR computer any more. And allowing computers known-owned by the enemy to operate on one's network is off-the-scale stupid. Now, I'm sorry it's inconvenient for Comcast. But I didn't built their network: THEY did. It is therefore 100% their responsibilty to manage it properly. If they're not up to that task, then (a) maybe they shouldn't have built something they can't control and (b) they should immediately shut down all operations until they can. That's what responsible people do. [1] They certainly don't allow their festering sewer of an operation to carry out seven years of spam runs, DoS attacks, ssh probes, phishing schemes, etc. against the entire rest of the Internet because they lack the integrity, the courage and the wit to stop it.
And I'm sure they are open to suggestion how to solve this with the least negative impact on them and their customers.
First: This Is Not My Problem. See above and note again that I didn't build their network: they did. Why, exactly, should I spend my valuable time attempting to instruct them in the rudiments of proper network operational practice? Shouldn't they have learned these Network 101 fundamentals *before* they built a huge network? Moreover, as someone who has had to spend his time and money dealing with the unceasing abuse emanating from Comcast, why should I spend MORE time and money telling my abusers how to make it stop? That's absurd. Second: The time to "solve this with the least negative impact" on everyone, not just their customers, who are insignificant in the big scheme of things compared to the entire rest of the Internet, was 6-7 years ago. The proper response from Comcast at that time was to bring in all available staff (hiring more on-the-fly if necessary) and work the problem around-the-clock until resolution. That's what responsible professionals do. And third: actually, no, they are not. Comcast, among others, in conspicuous by its absence from the forums in which senior people working in the field figured out what was going on in late 2002/early 2003 and began debating solutions. Subsequent actions by Comcast, including their deployment of DNS forgery techniques, strongly indicate that they are far more interested in maximizing revenue than they are in behaving as responsible participants in the Internet community. Had Comcast been paying attention to those with a keen grasp of the situation 6-7 years ago, it *might* have been possible to address this problem before it became large enough to present serious scalability issues. However, thanks to their own bumbling and ineptness, it's now a huge problem (and not just at Comcast). For example, from July 2003 on the Spam-L list, which of course all minimally-competent practitioners in the field read, this snapshot of observed spam sources by month from one monitoring point: And by certain ISPs, e.g. Comcast: 7 Jan 27 Feb 32 Mar 2147 May 2498 Jun Anyone looking at that and not immediately grasping that this indicated alarmingly non-linear growth should not be running a network. And of course this is but a tiny snippet out of a lengthy series of discussions which made it crystal-clear that they had an already-serious and quickly-growing problem on their hands. One obvious course of action available at that time was to request logs from everyone who cared to contribute them and thereby identify many of the compromised systems on their network [2], disable all of those systems, and then effect repairs. Yes, this would be expensive. This is also Not My Problem: I don't build networks that I cannot afford to operate properly because I know that's irresponsible and unprofessional. Of course, given that Comcast was busy trying to spend $54B at the same time to buy Disney, I think we may safely dismiss any feeble protest on their part about costs. ---Rsk [1] And that's not just talking the talk. We physically unplugged our entire campus from the 'net on 11/3/88 in an attempt to prevent our known-infected operation from becoming a hazard to others. It was obviously the right thing to do, and if similar circumstances presented themselves, it'd be done again. [2] Certainly not all, as any which were compromised but not spewing spam wouldn't show up. But at least this would nail the visible ones, and in doing so, would diminish the scope of the problem while no doubt providing further insight into how best to deal with the remainder. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: dumb. Comcast pop-ups, (continued)
- Re: dumb. Comcast pop-ups Toralv_Dirro (Oct 10)
- Re: dumb. Comcast pop-ups Jon Kibler (Oct 10)
- Re: dumb. Comcast pop-ups Michael Collins (Oct 10)
- Re: dumb. Comcast pop-ups Jim Murray (Oct 11)
- Re: dumb. Comcast pop-ups Jon Kibler (Oct 11)
- Re: dumb. Comcast pop-ups Michael Collins (Oct 11)
- Re: dumb. Comcast pop-ups Larry Seltzer (Oct 10)
- Re: dumb. Comcast pop-ups der Mouse (Oct 10)
- Re: dumb. Comcast pop-ups Dave Dennis (Oct 10)
- Re: dumb. Comcast pop-ups der Mouse (Oct 10)
- Re: dumb. Comcast pop-ups Rich Kulawiec (Oct 11)
- Re: dumb. Comcast pop-ups Paul Vixie (Oct 11)
- Re: dumb. Comcast pop-ups Valdis . Kletnieks (Oct 11)
- Re: dumb. Comcast pop-ups Rich Kulawiec (Oct 12)
- Re: dumb. Comcast pop-ups Larry Seltzer (Oct 12)
- Re: dumb. Comcast pop-ups Rich Kulawiec (Oct 16)