Re: Cyberterrorism [was: Re: NSA wiretap, Friday night]

responder <no@xxxxxxxxxxxx> wrote in

Kevin the Drummer wrote:


Should their be any detection of client machine components to see
if they are have vulnerabilities? For example, if someone is
running a really bad version of IE or Exchange, should the user be
alerted by email that their service will be restricted (brown out
or disconnect) after some number of minutes or days?

No, I would not think so. The criterion should be that if a
connected machine is compromised, it should be disconnected. Nothing
more is needed or justified.

I think at least an email is needed. Otherwise the ISP is just
letting the time bomb tick.

I thought I addressed that adequately several times earlier in the
thread. Agreed that in the event their box(en) are compromised, the
customer notification and understanding of the requirements are
essential. What OS or software they are running is their choice
alone, and it is nobody else's business to dictate or try to dictate
anything different.

So, have you written to any members of Congress in your area? Have
you contacted any universities? Maybe you should? How about an RFC?

I am in fairly regular contact with Congressional aides. But I do not
want to annoy them unnecessarily.

My most recent contacts were in response to appeals here by "imhotep"
relating to "net neutrality". I also had related correspondence about
that issue with some fairly well connected network security
specialists. Those specialists expressed fairly strong objections to
the "net neutrality" initiative. They did not convince me of the
merits of their arguments, but this is an indication of fairly strong
opposition in the field.

My Congressional sources are pretty frank that there is no realistic
chance that any "net neutrality" initiative will come to a vote in
either House of this Congress, let alone pass either House. I do
regret that, but I have to accept reality.

As a motivated individual, I do try to follow up on all the issues
that I think are convincingly worth pursuing, up to and including
lobbying for specific legislation. There is only so much that any one
person can do. In an informed electorate, it is fair to assume that
any worthy initiative will be able to demonstrate a substantial basis
of support in that electorate.

Not every supported initiative is necessarily worthy. Not every
worthy initiative is necessarily supported. But every successful
initiative is supported.

On Wednesday you posed the question.

So, what can WE do?

I wrote many lines to you in response, and you were a good "devil's
advocate". And it seemed we were on the same note in many ways,

But _I_ cannot do it alone, and _YOU_ cannot do it alone, and You and
I cannot do it together, the two of us. What we, the two of us can do
if we want is to try to involve others in developing an initiative
that will inevitably include the input of all those others.

If you really want to know what _WE_ can do, first ask what _YOU_ can
do. If that is acceptable to you, then do it and come back with some
results. I will certainly support you in this.

I would think that before contacting a Congressman or University, it
would be better to privately contact your own ISP and ask for their

Your ISP is Time-Warner Telecom and their e-mail address is
abuse@xxxxxxxxxxxxxx I would be interested to know what they say.

I hope that answers your questions.



I am a sometime reader of this group, tending to read long bits of it on
nights when insomnia strikes, and then ignore it for months at a stretch.
I came across this running discussion, which I found quite interesting
and felt somewhat compelled to chip in on.

I was, for approximately two years (I resigned at the end of April to
move back to Virginia, closer to the rest of my family), the head of
systems and networking for Speed Express Networks, an ISP in Texas. I
have always taken an extremely firm stance on all matters security-
related, and had in place essentially what you were discussing.

I would like to describe the standard operating practices and procedures
that I implemented (and that I believe to still be in effect). They may
not be quite typical at this point, but I believe they will be

Firstly, any and all outgoing port 80 tcp (HTTP, presumably) traffic was
transarently dst-nat'd through a squid caching proxy. This was both to
protect our customers' privacy (by making all requests appear to come
from the IP of the proxy server), and to facilitate incident response via
logging of requests (no responses were logged, and of course, no HTTPS
traffic was... and trust me, we had FAR better things to do than sit and
look at the logs if there was not an active problem). This allows, among
other things, automated log analysis to determine if URLs known to be
associated with trojans, etc, were being requested.

Additionally, all outgoing port 25 tcp traffic (presumably SMTP
connections) were dst-nat'd through our outgoing email server. This does
mean that one cannot send directly through an external smtp server (if it
does not provide an alternate port, other than 25). This has several
immediate and significant benefits. Firstly, attempts by any of our
customers to spam via external open relays would be much more difficult
(and require intelligence, rather than a 2-click spammer application).
Secondly, for all intents and purposes, all sender and recipient
addresses for each email were logged (again, no body/content was logged,
but we had logs for responding to abuse complaints). This means if we
got an abuse complaint for email coming from our network, we would have
specific logs. A significant additional benefit of this, is that ALL
email (incoming or outgoing) passing through our email server was passed
through automated virus checkers and quarantined if viral. This means
that we had excellent ability to mitigate the spread of a viral infection
which had occurred within the network.

The vast majority of compromised hosts (bots, if you prefer), are
assigned to either DDoS attacks, or email spam generation. On the source
side, DDoS is easy to mitigate... simple rules regarding packets per
second that would never kick in on legitimate traffic will clamp the heck
out of a DDoS. Viruses that replicate via email are a great concern,
continually, human nature (read, 'user stupidity') being what it is.

As part of routine network operations, we ran an intrusion detection
system on a server that saw all traffic coming from the customer side
(and had signatures to recognize worms trying to spread, etc). We also
routinely used tools such as pflogsumm to analyze our email logfiles
(Postfix email server). Pflogsumm, among other things, summarizes your
top X email senders by IP/host, sender address, etc. When you see a
normal user suddenly shoot up to insane levels... it doesn't take long to
figure out what's going on.

Any time we became assured via our IDS, proxy log analysis, or email log
analysis, that a customer system was infected (or they were deliberately
performing attacks or operations in flagrant violation of their member
terms of service), we pulled the plug. Then we called them. On a first
incident, we would politely explain that due to the potential risk of
spread to other customers or systems, and the possible risk that they
were infected by a trojan horse, and further connection to the network
could pose additional risk to their systems (customer benefit statement
:-)), we were forced to temporarily suspend services until the system had
been cleaned. They were given the option of handling it themselves,
taking it to any computer shop/guru, or bringing it in for assistance if
they prefferred. They would be given the benefit of the doubt initially,
and we would immediately restore service (with an initially watchful
eye), once they said it was clean. If it was clearly NOT clean, they
were usually asked to bring it in to allow one of our technicians to
examine the system. If they preferred to handle it themselves again,
they were allowed to, but warned that they would be right back off it the
issue persisted. We never lost a customer over it, and several people
were extremely thrilled that we had been watchful enough to catch the
compromise before their system was worse off.

Now, that's a partial example of our procedures. It doesn't go into
everything, but it should give you a good idea. The important thing to
note is that we were NOT operating under an onerous, expensive, and
difficult to enforce government mandate. In keeping with discussions
here regarding wiretapping, I would suggest the interested reader to
refer to the recurrent discussions of attempts to mandate ISPs to accept
FBI 'black boxes' hooked into their networks for customer monitoring.

Now, all of that wasn't completely without cost, man-hours, or the risk
of losing customers. So why did we do it if we didn't have to? Partly,
a true desire to be good 'net neighbors'. To not allow the neighborhood
to go to hell to to speak. The business motivation though? Liability.
We live in an extremely litigous society, and more and more, ISPs are
being held legally accountable (indirectly, through tort suits regarding
negligence or failure to pratice due diligence rather than failure to
comply with a specific mandate) for the actions of individual users of
its network, if those actions are allowed to exist unchecked. For that
reason, there is clear business merit in having thorough logs
(investigative ability to act appropriately when an offense occurs, or
repudiate a false allegation), as well as in taking proactive measures to
prevent abuse originating from the network. In even simpler terms,
bandwidth costs money, and a 'clean' network generates a lot less traffic
than one infested with compromised hosts, and therefore will cost the ISP
less in transport fees, as well as provide faster response times to the
customers, improving customer satisfaction.

If you are a property owner, why do you care if you have a gaping hole in
your lawn that someone could fall into (ignoring aesthetics). Not
because anyone should be on your lawn, but because some dumb shit MIGHT
be on your lawn, and fall in the hole and sue you. So it is when
managing a diverse network. You protect your network against even
individual internal compromises aggressively because they may represent
liabilities you can't afford. The good news is that the more proactive
each 'good' company is, the higher the legal bar for 'due diligence'
becomes in court cases, forcing the 'bad' ISPs to come along kicking and
screaming before they lose an expensive lawsuit. I think that still
beats an 'all-seeing, all-knowing eye' analysing everyone's traffic.

I s'pose I've rambled enough.

Nathanael Hoyle


Relevant Pages

  • Re: Warning to PlusNet users, old & new
    ... I have 2 relatives who I have advised to change ISP in light of this. ... I discovered almost by accident that Idnet's provision of bandwidth per customer ... And I forgot to say they have NO contention on their network, bandwidth throttling. ...
  • Re: Why is my ISP blocking incoming emails - header attached
    ... could have a customer that is sending out massive amounts of SPAM ... or the customer could have a virus and is unknowingly sending out virus ... emails to thousands of other people and flooding our network. ... your service and our network we are forced to block the ISP and their ...
  • Re: find IP address to get through firewall.
    ... They are not looking at traffic, at least my ISP is not. ... and got a response and they came a calling with an email. ... I blocked access to all IPon 20 and 21 at the BID ... Web services on their network, but they are expense on the startup cost. ...
  • Re: Fun With AT&T
    ... I am trying to order new telephone service via your web site. ... If this response does not address your concern, ... Your AT&T Customer Service Representative ... Make sure to close all Internet Explorer windows ...
  • Re: Fun With AT&T
    ... I am trying to order new telephone service via your web site. ... If this response does not address your concern, ... Your AT&T Customer Service Representative ... Make sure to close all Internet Explorer windows ...