North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: botnets: web servers, end-systems and Vint Cerf [LONG, sorry]

  • From: Simon Waters
  • Date: Mon Feb 19 09:08:28 2007

On Monday 19 February 2007 13:27, you wrote:
> people consider this to be a Windows malware problem. I consider it to
> be an email architecture problem. We all know that you need hierarchy to
> scale networks and I submit that any email architecture without
> hierarchy is broken by design and no amount of ill-thought-out bandaids
> will fix it.

I look forward to your paper on "the end to end concept, and why it doesn't 
apply to email" ;)

I'm not convinced there is an email architecture problem of relevance to the 
discussion. People mistake a security problem for its most visible symptoms. 

The SMTP based email system has many faults, but it seems only mildly stressed 
under the onslaught of millions of hosts attempting to subvert it. Most of 
the attempts to "fix" the architecture problem so far have moved the problem 
from blacklisting IP addresses, to blacklisting domains, or senders, or other 
entities which occupy a larger potential space than the IPv4 addresses, which 
one can use to effectively deal with most of the symptom. In comparison, 
people controlling malware botnets, have demonstrated their ability to 
completely DDoS significant chunks of network, suggesting perhaps that other 
protocols are potentially more vulnerable than SMTP, or more approrpiate 
layers to address the problem at.

We may need a trust system to deal with identity within the existing email 
architecture, but I see no reason why that need be hierarchical, indeed 
attempts to build such hierarchical systems have often failed to gather a 
critical mass, but peer to peer trust systems have worked fine for decades 
for highly sensitive types of data.

I simply don't believe the higher figures bandied about in the discussion for 
compromised hosts. Certainly Microsoft's malware team report a high level of 
trojans around, but they include things like the Jar files downloaded onto 
many PCs, that attempt to exploit a vulnerability that most people patched 
several years ago. Simply identifying your computer downloaded (as designed), 
but didn't run (because it was malformed), malware, isn't an infection, or of 
especial interest (other than indicating something about the frequency with 
which webservers attempt to deliver malware).