North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: botnets: web servers, end-systems and Vint Cerf

  • From: michael.dillon
  • Date: Fri Feb 16 11:42:51 2007

> I've concluded three things (by doing experiements like 
> that).  (a) Where
> there are Windows boxes, there are zombies.  "Securing 
> Microsoft operating
> systems adequately for use on the Internet" is not a solved problem in
> computing.  

I disagree. Since 1994 I have been in the habit of setting up MS Windows
boxes with Win98 and up, by installing from CD, connecting to the net
and installing various patches and updates from the Windows Update
service. I've never had a virus infection, a bot, a root kit or
whatever. The secret is simple. These machines never connected directly
to the Internet but went through a NAT box. Way back when it was a
FreeBSD machine running TIS Firewalls Toolkit. These days it is an
off-the-shelf Ethernet switch with DSL modem and NAT built-in.

Therefore, I assert that securing systems adequately for use on the
Internet is indeed a SOLVED PROBLEM in computing. However, it isn't yet
solved in a social or business sense. On the business side, I wonder why
PC's don't come with a built-in firewall/NAT device. It is cheap enough
to do these days. This means that a computer would have no Ethernet
ports on it. Instead, an internal Ethernet port would be directly
connected to a NAT/firewall device on the same circuit board (or via
PCI/PCMCIA/etc.). The external Ethernet port would belong to the
firewall/NAT device. On the social side, people don't realize that such
a solution is possible and therefore they aren't demanding computer
vendors to build it in. The box vendors only build what the OS vendors
want and the OS vendors are not interested in a piece of hardware that
runs its own OS, most likely FreeBSD or Linux.

In the UK, companies who sell TV services (cable and satellite) give
there customers a box to connect with. Why can't ISPs also sell their
services with a proper box included? By proper, I mean a NAT/firewall,
not a USB-connected DSL modem. 

> (c) Amusingly, it's possible
> to detect new end-user allocations and service rollouts by noting when
> spam starts to arrive from them.  (e.g. the Verizon FIOS 
> deployment, if I
> may use hostnames of the form * as a guide, is going
> well in NYC, Dallas, DC, Tampa, Philly, LA, Boston and 
> Newark, but lags
> behind in Seattle, Pittsburgh, Buffalo and Syracuse.)

I wonder if Verizon is violating any SEC rules by not reporting this
information publicly? This is a good example of something that would not
be revealed if they provided a NAT/firewall box to every customer who
didn't already have one.

Has anyone implemented a tool that ISPs could use to detect whether or
not a NAT/firewall device is present? Perhaps based on OS
fingerprinting? Or even based on an agent that must be installed by the
customer? If such tools are available then an ISP could offer customers
a discount for being compliant with a NAT/firewall rule in their

--Michael Dillon