Re: Dutch ISPs to collaborate and take responsibility

[Lee <ler762 () gmail com>]

On 10/9/09, Rich Kulawiec <rsk () gsp org> wrote:
> On Wed, Oct 07, 2009 at 06:25:53AM -0700, Owen DeLong wrote:
> > Additionally the problems of DDOS sourced from a collection of
> > compromised hosts could be interfering with someone else's ability
> > to make a successful VOIP call.
>
> Much more than that: they could be interfering with the underlying
> infrastructure, or they could be attacking the VOIP destination,
> or they could be making fake VOIP calls (see below), or they could
> be doing ANYTHING.  A compromised system is enemy territory, which is why:
>
> > This blocking should be as narrow as possible.
>
> Blocking should be total.  A compromised system is as much
> enemy-controlled as if it were physically located at the RBN.  Trying
> to figure out which of externally-visible behaviors A, B, C, etc.
> it exhibits might be malicious and which might not be is a loss,

If an ISP is involved with tracking down DDOS participants or
something, I can understand how they'd know a system was compromised.
But any kind of blocking because the ISP sees 'anomalous' traffic
seems .. premature at best.  SANS newsbites has this bit:
  On Thursday, October 8, Comcast began testing a service that alerts its
  broadband subscribers with pop-ups if their computers appear to be
  infected with malware.  Among the indicative behaviors that trigger
  alerts are spikes in overnight traffic, suggesting the machine has been
  compromised and is being used to send spam.

When my son comes home from college, there's a huge spike in overnight
traffic from my house.  With all the people advocating immediate
blocking of pwned systems in this thread, I'm wondering what their
criteria is for deciding that the system is compromised & should be
blocked.

Lee