Re: Dutch ISPs to collaborate and take responsibility

About Merit

Services

Network

Resources & Support

Network Research

News

Events

Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Re: Dutch ISPs to collaborate and take responsibility

From: Rich Kulawiec
Date: Fri Oct 09 06:06:17 2009

List-archive: <http://mailman.nanog.org/mailman/nanog>
List-help: <mailto:nanog-request@nanog.org?subject=help>
List-id: North American Network Operators Group <nanog.nanog.org>
List-post: <mailto:nanog@nanog.org>
List-subscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>,<mailto:nanog-request@nanog.org?subject=subscribe>
List-unsubscribe: <http://mailman.nanog.org/mailman/listinfo/nanog>,<mailto:nanog-request@nanog.org?subject=unsubscribe>

On Wed, Oct 07, 2009 at 06:25:53AM -0700, Owen DeLong wrote:
> Additionally the problems of DDOS sourced from a collection of  
> compromised hosts could be interfering with someone else's ability
> to make a successful VOIP call.

Much more than that: they could be interfering with the underlying
infrastructure, or they could be attacking the VOIP destination,
or they could be making fake VOIP calls (see below), or they could
be doing ANYTHING.  A compromised system is enemy territory, which is why:

> This blocking should be as narrow as possible.

Blocking should be total.  A compromised system is as much
enemy-controlled as if it were physically located at the RBN.  Trying
to figure out which of externally-visible behaviors A, B, C, etc.
it exhibits might be malicious and which might not be is a loss,
doubly so given that many of the attacks launched by such systems
are of a distributed nature and thus are very difficult to infer
solely by observation of one system.  Moreover, there is no way to
know, given a current observation of behavior A, whether or not
behavior B will begin, when it will begin, or what it will be.

For example, there's no way to know that a supposed VOIP call to
911 from that system is actually being made by a human being.
It's certainly well within the capabilities of malware to place
such a call -- and abuses of 911 in efforts to misdirect authorities
are well-known.  (See "swatting".  And note that nothing stops a botnet
equipped with appropriate s/w from launching a number of such calls
in sequence, with what I think are predictable consequences.) 

The bottom line is that once a system is compromised, all bets are off.
Nothing it does can be trusted by anyone: not its *former* owners, not
the network operator, not anyone in receipt of its traffic.  So the
only logical course of action is to cut it off completely, as quickly
as possible, and keep it that way until it's properly fixed.  (Which
of course involves booting from known-clean media, restoring apps from
known-clean sources, scanning all user data, etc.  Booting from
known-infected media is an obvious and immediate fail.)

---Rsk

Follow-Ups:
- Re: Dutch ISPs to collaborate and take responsibility Lee

References:
- Re: Dutch ISPs to collaborate and take responsibility Joe Greco
- Re: Dutch ISPs to collaborate and take responsibility Owen DeLong