Re: Broadband routers and botnets - being proactive

[alex () pilosoft com]

On Tue, 15 May 2007, Joe Greco wrote:

> The thing is that there's always been too much functional separation
> between the business of this list which is operating a network, and the
> security focused lists.  The business of operating a network has often
> conveniently ignored anything that doesn't actually cause the network to
> collapse, but which regardless makes the network a less-than-nice place
> to be.
>
> Is spam directly related to the business of Network A peering via BGP to
> Network B?  Doubtful.
Clearly, it is not. Packets keep flowing. Internet is more than email.

> However, where does that change?  What sort of things are operational?
Things that affect internet at large. Things that affect our routers.

> As long as we choose to interpret "operating a network" as being merely
> things that involve enable on a router, yes, it's way off-topic.  
> Sadly, many (most?) networks view their operation in a way that
> emphasizes this sort of attitude.  As a result, we still don't have
> basic security things that should /also/ be a fundamental part of
> netops, such as BCP38 at any point where it is reasonable to do so (like
> at virtually every edge).
That's certainly on-topic (why is BCP38 is not implemented as much as it 
should be).

> > You and I and lots of other people on this list are on on many or all
> > of those sorts of lists.
>
> In most organizations larger than a handful of people, the netops people
> are not necessarily the same as the security people, and I've often
> found that the groups do not understand issues happening in the other
> arena.
That's an issue for those organizations. :) However, security people have
their own mailing lists, and *forcing* operations people to be involved in
security issues is counter-productive. (You don't make your security
people to read nanog-l, do you?)

> > While cross-pollination is acceptable and in fact desired dragging the
> > business of one group of community interests in to the domain of
> > another is not appropriate.
>
> Were they all truly separate, this would be true.  They're not all truly
> separate.  Pretending that they're separate would be a convenient way to
> allow your network to continue peeing in the pool, ignoring problems,
> which (sadly) doesn't seem to be an unusual attitude at certain
> networks.
Sadly, the alternatives (resulting in trying to police the internet) are 
much worse than status quo.

> Those of us who have been implementing BCP38-style filtering since
> before BCP38 existed, on the other hand, may take a slightly more mature
> view of what "network operations" involves, and it sure covers a lot
> more ground than what you can do with enable on a router.
>
> I do not consider host security to be directly connected to netops.
> However, it certainly has an impact, and to a certain extent, a little
> occasional discussion is warranted.
When it is affecting internet at large (think nachi/nimda/codered), 
clearly.

> Gadi may tend to bring along a little too much discussion, though.  I
> think a lot of people would agree with that.
I think this is the case of a 'boy who cried wolf' too many times. 

<snip>
> I find it sadly ironic that the netops community, which largely runs
> huge commercial for-profit networks, would think that others would
> handle the security aspects for them - and do it for free.
Those who run huge commercial for-profit networks usually have people who 
are dedicated to security aspects...Ones not so lucky usually have same 
people who are both operations and security and peering - and we are 
subscribed to all the mailing lists we need to know to get all our jobs 
done. And I think its the way things should be.

> What's pathetic is that these same large networks usually can't be
> bothered to do much (or anything) to eliminate the environment which
> provides work opportunities for security consultants.
Do I smell a "final ultimate solution" somewhere? :)


[note the cc to nanog-futures - please strip cc to nanog-l from the
replies to this email. meta-discussions belong on -futures]

alex [speaking for myself only]