nanog mailing list archives
Re: Dutch ISPs to collaborate and take responsibility
From: Lee <ler762 () gmail com>
Date: Fri, 9 Oct 2009 22:41:11 -0400
On 10/9/09, Rich Kulawiec <rsk () gsp org> wrote:
On Wed, Oct 07, 2009 at 06:25:53AM -0700, Owen DeLong wrote:Additionally the problems of DDOS sourced from a collection of compromised hosts could be interfering with someone else's ability to make a successful VOIP call.Much more than that: they could be interfering with the underlying infrastructure, or they could be attacking the VOIP destination, or they could be making fake VOIP calls (see below), or they could be doing ANYTHING. A compromised system is enemy territory, which is why:This blocking should be as narrow as possible.Blocking should be total. A compromised system is as much enemy-controlled as if it were physically located at the RBN. Trying to figure out which of externally-visible behaviors A, B, C, etc. it exhibits might be malicious and which might not be is a loss,
If an ISP is involved with tracking down DDOS participants or something, I can understand how they'd know a system was compromised. But any kind of blocking because the ISP sees 'anomalous' traffic seems .. premature at best. SANS newsbites has this bit: On Thursday, October 8, Comcast began testing a service that alerts its broadband subscribers with pop-ups if their computers appear to be infected with malware. Among the indicative behaviors that trigger alerts are spikes in overnight traffic, suggesting the machine has been compromised and is being used to send spam. When my son comes home from college, there's a huge spike in overnight traffic from my house. With all the people advocating immediate blocking of pwned systems in this thread, I'm wondering what their criteria is for deciding that the system is compromised & should be blocked. Lee
Current thread:
- Up Next: Quarantine Phishing (Was: Dutch ISPs to collaborate and take responsibility for bottedclients), (continued)
- Re: Dutch ISPs to collaborate and take responsibility for bottedclients Barry Shein (Oct 06)
- Re: Dutch ISPs to collaborate and take responsibility for bottedclients Peter Beckman (Oct 08)
- Re: Dutch ISPs to collaborate and take responsibility Joe Greco (Oct 06)
- Re: Dutch ISPs to collaborate and take responsibility Alexander Harrowell (Oct 07)
- Re: Dutch ISPs to collaborate and take responsibility Dave Temkin (Oct 07)
- Re: Dutch ISPs to collaborate and take responsibility Owen DeLong (Oct 07)
- Re: Dutch ISPs to collaborate and take responsibility Joe Greco (Oct 07)
- Re: Dutch ISPs to collaborate and take responsibility Rich Kulawiec (Oct 09)
- Re: Dutch ISPs to collaborate and take responsibility Lee (Oct 09)
- Re: Dutch ISPs to collaborate and take responsibility Michael Painter (Oct 09)
- Re: Dutch ISPs to collaborate and take responsibility for bottedclients Nils Kolstein (Oct 05)
- Re: Dutch ISPs to collaborate and take responsibility for bottedclients Rich Kulawiec (Oct 05)
- Re: Dutch ISPs to collaborate and take responsibility for botted clients Peter Beckman (Oct 04)
- Re: Dutch ISPs to collaborate and take responsibility for botted clients Christopher Morrow (Oct 04)
- Re: Dutch ISPs to collaborate and take responsibility for botted clients Gadi Evron (Oct 04)
- Re: Dutch ISPs to collaborate and take responsibility for botted clients Justin Shore (Oct 05)
- Re: Dutch ISPs to collaborate and take responsibility for botted clients Leigh Porter (Oct 05)
- Re: Dutch ISPs to collaborate and take responsibility for botted clients Nathan Ward (Oct 05)
- RE: Dutch ISPs to collaborate and take responsibility for botted clients Lee Howard (Oct 05)