[162758] in North American Network Operators' Group
Re: Tier1 blackholing policy?
daemon@ATHENA.MIT.EDU (Jared Mauch)
Wed May 1 07:53:34 2013
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <20130501114435.GA17671@gsp.org>
Date: Wed, 1 May 2013 07:53:06 -0400
To: Rich Kulawiec <rsk@gsp.org>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On May 1, 2013, at 7:44 AM, Rich Kulawiec <rsk@gsp.org> wrote:
> On Tue, Apr 30, 2013 at 12:47:40PM -0400, Jared Mauch wrote:
>> If the phishing attack is against an enterprise that is also an ISP,
>> surely you can imagine a case where they might block traffic to =
prevent
>> folks from being phished.
>=20
> This is not an effective anti-phishing tactic, any more than "user =
education"
> is an effective anti-phishing tactic. (Let me quote Marcus Ranum on
> the latter: "if it was going to work, it would have worked by now."
> And let me observe: it's never worked; it's not working; it's never
> going to work.)
We're talking about denying access to what is typically a compromised =
end-host
which is in violation of an AUP. Speaking about my employer, we =
typically don't
see something null0'ed for more than a few hours until we have confirmed =
the
host is offline being repaired.
I don't know about other networks practices which is what started the =
thread.
>> i think it's great that someone is blocking folks from being infected =
with either malware or giving up their private details improperly.
>=20
> One person's "malware" is merely an interesting collection of inert
> bits to someone else, just as "email virus" has no operational meaning
> to anyone clueful enough to run a sensible mail client on a sensible
> operating system.
>=20
> Thus one undesirable effect of such blocking is that it denies access =
to
> researchers who are at nearly zero risk of negative consequences *and*
> who might be the very people in a position to understand the threat
> (phishing, malware, etc.) and figure out how to mitigate it. Another =
is
> that it presents a false sense of security to the ignorant, the lazy,
> and the careless. While in the short term that may seem benevolent =
and
> useful, I think in the long term it has a deleterious effect on =
security
> as a whole. And if we've arrived at a point in time where people are
> actually considering making routing decisions based on longstanding =
design
> and implementation defects in consumer operating systems and =
applications,
> then I think "long term" equates to "right now".
I think many people understand these risks and tradeoffs. We could stop =
mitigating
DDoS attacks or responding to security complaints as well with this line =
of
reasoning as it could be interfering with law-enforcement actions, or a =
researcher.
Just because the house has been broken into, doesn't mean as the =
provider of the
roads that we're going to let everyone visit it until the owner has a =
chance to secure
it properly. I don't like that role, but it becomes necessary at times. =
What you are
suggesting is a slippery slope to no mitigation of any badness which =
will lead to
a lack of trust and confidence in the market. That to me is a plain and =
simple reason
to do the right thing, even if it causes a problem for a few hours or a =
day or two.
- Jared=
