[102411] in North American Network Operators' Group
RE: IBM report reviews Internet crime
daemon@ATHENA.MIT.EDU (michael.dillon@bt.com)
Tue Feb 12 14:55:23 2008
Date: Tue, 12 Feb 2008 19:53:11 -0000
In-Reply-To: <47B1F2D6.3060004@infiltrated.net>
From: <michael.dillon@bt.com>
To: <nanog@nanog.org>
Errors-To: owner-nanog@merit.edu
> > [If you still distribute any kind of software kits that do=20
> not install=20
> > FireFox, you are doing your customers a disservice and making your=20
> > detection and blocking task that much bigger. When you contact=20
> > customers with compromised machines you might want to make it=20
> > mandatory to install Firefox from your servers before re-enabling=20
> > Internet access]
>=20
> Agree, and disagree.
Yes, it certainly does not apply to everyone.
> So you push them to Firefox=20
> anyway, what now, there are still countless amounts of=20
> vulnerabilities for FF many not even seen.
I was actually targeting this suggestion to those who
currently distribute Internet Explorer kits. So it was
more of a suggestion to not distribute the browser that=20
is most vulnerable. And if you make installation of
Firefox a requirement to come out of quarantine, that
does not imply that people need to uninstall their other
browsers. This is to give them the experience of something
new knowing that a certain percentage will continue using
it and not be reinfected. And reducing reinfections cuts
your costs of detection and blocking compromised PCs.
> Are you suggesting that if peers don't clean up their act=20
> they should be de-peered?=20
That's pretty extreme. I would think that you could start=20
by keeping regular communication with them and always=20
showing reports about how much bad traffic comes from=20
them versus how much comes from you. Or how many compromised
hosts are in their AS versus in yours. You could share what
you have learned about detection and blocking of compromised
computers and the resulting reduction in helpdesk calls.
In other words, if there is a problem, discuss it, make it
clear how you are doing a better job than they are, and
how the term "peering" refers to two companies who are
equals by some measure. And how the peer is lacking by
certain malware measures. In many cases, repeated communication
will lead to people fixing problems, even if you have to wait
until it filters up to a level where management says "What if
our peers start depeering because of these problems? Go fix them!".
Engineers like to figure out everything to the nth detail and
cost it all out. But that's not the only way to get action.
--Michael Dillon
