|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: How should ISPs notify customers about Bots (Was Re: DNS Hijacking
> On Tue, 24 Jul 2007, Joe Greco wrote: > > > On Mon, 23 Jul 2007, Joe Greco wrote: > > > > > > Yes, when there are better solutions to the problem at hand. > > > > > > > > > > Please enlighten me. > > > > > > > > Intercept and inspect IRC packets. If they join a botnet channel, turn on > > > > a flag in the user's account. Place them in a garden (no IRC, no nothing, > > > > except McAfee or your favorite AV/patch set). > > > > > > Pleaes do this at 1Gbps, really 2Gbps today and 20gbps shortly, in a cost > > > effective manner. > > > > Mmmmm... okay. Would you like solution #1 or solution #2? (You can pay > > for solutions above and beyond that) > > I tried to be nice and non-sarcastic. I outlined requirements from a real > network security professional on a large transit IP network. You > completely glossed over most of it and assumed a host of things that > weren't in the requirements. I'm sorry that i didn't get my point across > to you, please have a nice day. As far as "Please enlighten me" followed by "Please do this at 1Gbps, really 2Gbps today and 20gbps shortly, in a cost effective manner" goes, I don't consider that to be non-sarcastic. I consider it to be either very rude, or perhaps a challenge. I attempted to reply in an approximately equivalent tone. But, now, what exactly did I gloss over? And what things did I assume that weren't in the requirements? It's already been demonstrated that it doesn't need to handle 1Gbps, 2Gbps, or 20Gbps, so those "requirements" are irrelevant. You then said: > Please also do this on encrypted control channels or > channels not 'irc', also please stay 'cost effective'. But I'm not about to be trapped into building a solution that does WAY MORE than what Cox was trying to do. That it was a requirement from a "real network security professional" is not relevant, as we're discussing ways to accomplish what Cox was trying, without the related breakage. You further said: > Additionally, > please do NOT require in-line placement unless you can do complete > end-to-end telco-level testing (loops, bit pattern testing, etc), To which I said: "Ok.", because my solution meets that measure. It does not require in-line placement, condition met. You went on to say: > also > it'd be a good idea to have a sensible management interface for these > devices (serial port 9600 8n1 at least along with a scriptable > ssh/telnet/text-ish cli). And again I said: "Ok.", because my solution can be built on a FreeBSD or Linux box, and as a result, you gain those features too. Condition met. And finally, you say: > Looking at DPI (which is required for your solution to work) you are still > talking about paying about 500k/edge-device for a carrier-grade DPI > solution that can reliably do +2gbps line-rate inspection and actions. And I finally said: "Yeah, I see that. Not." Because I don't fundamentally believe that you need to do deep packet inspection of all packets in order to accomplish what Cox was doing. So what exactly did I assume that wasn't in the requirements (and by that, I mean the requirements to do what Cox was attempting to do, not the requirements of some random "real network security professional")? If you really think I glossed over something that was important, then by all means, point it out and call me on it. Don't just say HAND. Part of network engineering is being a little bit clever. Brute force is great when you really need to move 20Gbps of traffic. Any idiot can buy big iron to move traffic. However, putting your face in front of the firehose is a bad way to take a sip of water. With that in mind, I will once again point out that doing the equivalent what Cox was trying to do did not /require/ the ability to do deep packet inspection at 20 gigabits per second, and as a result, I'm exercising my option of being a clever network engineer, rather than one who simply throws money and big iron at the problem. You asked for enlightenment. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
|