[152514] in North American Network Operators' Group
Re: Operation Ghost Click
daemon@ATHENA.MIT.EDU (Livingood, Jason)
Tue May 1 15:42:36 2012
From: "Livingood, Jason" <Jason_Livingood@cable.comcast.com>
Date: Tue, 1 May 2012 19:41:35 +0000
In-Reply-To: <18010.1335899967@turing-police.cc.vt.edu>
To: "valdis.kletnieks@vt.edu" <valdis.kletnieks@vt.edu>, Rich Kulawiec
<rsk@gsp.org>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 5/1/12 3:19 PM, "Valdis.Kletnieks@vt.edu<mailto:Valdis.Kletnieks@vt.edu>=
" <Valdis.Kletnieks@vt.edu<mailto:Valdis.Kletnieks@vt.edu>> wrote:
On Tue, 01 May 2012 10:40:57 -0400, Rich Kulawiec said:
Why haven't you cut these obviously-infected systems off entirely?
There's quite likely multiple systems behind a NAT-ish router, and Comcast =
doesn't have any real option but to nuke *all* the systems behind the route=
r.
This can be a tad troublesome if there's one infected box behind the router=
, but the customer is also using VoIP of some sort from another box - you m=
ay just have nuked their 911 capability. Or if they have multiple systems, =
you may have killed their ability to transact basic business like contact t=
heir local government or pay their utility bills from a box that's not infe=
cted.
All of this above! Plus, the remediation tools to clean up an infection are=
insufficient to the task right now. Better tools are needed. (See also htt=
p://tools.ietf.org/html/rfc6561#section-5.4)
Jason
