North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: botnets: web servers, end-systems and Vint Cerf [LONG, sorry]

  • From: michael.dillon
  • Date: Mon Feb 19 08:30:53 2007

> But suppose you put such a firewall in place.  You'll need to
> configure the firewall properly -- paying as much attention to
> outbound rules as inbound. 

Sounds like a good thing to document in a best practices document that
can be used to certify firewall implementations. When trying to solve a
social problem, techniques like the Good Housekeeping seal of approval
are quite effective. As recommended by the editors of...

> You'll need to add anti-virus software.  And anti-spyware software.
> Then you need to make sure the "signature" databases for both of those
> are updated early and often,

What if the guidelines state that subscription and database oriented
techniques for virus detection are not adequate and therefore not
compliant. Only heuristic, capability-based systems are acceptable.

> And you'll need to de-install IE and Outlook,

Thus ensuring that Firefox/Thunderbird will be the main target of the
malware people. Is this necessarily any better? Note that Windows
provides an extensive series of hooks which can be used by an
application which wishes to subvert the normal operation of the OS. That
subversive application could be the security monitor which is required
by the ISP for Internet access because it is recommended in your

> Something which requires this much work just to make it through its
> first day online, while being used by J. Random Person, is hopelessly
> inadequate.  Which is why systems like this are routinely 
> compromised in
> huge numbers.  Which is why we have a large-scale problem on 
> our hands.

We live in a complex world. Computers are more complex than they were.
OSes are more complex. Apps are more complex. Networks are more complex.
And SOLUTIONS are more complex. But if the designers of computers, OSes,
apps and networks can deal with the complexity, why can't security folks
do likewise?

> This left me with >1.5M observed hosts seen in a month.  
> They're all sending
> spam.  (How do I know?  Because 100% of the mail traffic sent to that
> server is spam.) 

What you did sounds dumb except that you said this is an experiment.
Unfortunately, real live email servers do exactly the same, i.e. talk to
all comers, because the email architecture is flat like a pancake. Some
people consider this to be a Windows malware problem. I consider it to
be an email architecture problem. We all know that you need hierarchy to
scale networks and I submit that any email architecture without
hierarchy is broken by design and no amount of ill-thought-out bandaids
will fix it. 

> Pop quiz, bonus round: how much does it cost Comcast to defend its
> mail servers from Verizon's spam, and vice versa?  Heck, how much
> does it cost Comcast to defend its mail servers from its own spam?

That actually sounds like an answerable question, if a company took it
seriously enough. If the senders and receiver are both on your network,
your finance department should be able to come up with some cost

--Michael Dillon