dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
5
share rss forum feed
« Remote Remove
page: 1 · 2 · next
This is a sub-selection from Open can of worms


jjoshua
Premium
join:2001-06-01
Scotch Plains, NJ
kudos:3
Reviews:
·Verizon FiOS

2 edits
reply to jlivingood

Re: Open can of worms

said by jlivingood:

[And compared to the alternatives of say, unwittingly having your banking login or credit card numbers stolen by a key logger, unwittingly sending spam, or unwittingly participating in a DDoS attack, my personal opinion is that a browser alert is an okay thing to do.
My opinion is that it's not. Supply the pipe and stay out of the security business.

BTW, your own TOS say so.
In all cases, you are solely responsible for the security of any device you choose to
connect to the Service, including any data stored or shared on that device. Comcast
recommends against enabling file or printer sharing unless you do so in strict compliance with
all security recommendations and features provided by Comcast and the manufacturer of the
applicable file or printer sharing devices. Any files or devices you choose to make available for
shared access on a home LAN, for example, should be protected with a strong password or as
otherwise appropriate.

It is also your responsibility to secure the Customer Equipment and any other Premises
equipment or programs not provided by Comcast that connect to the Service from external
threats such as viruses, spam, bot nets, and other methods of intrusion.


jlivingood
Premium,VIP
join:2007-10-28
Philadelphia, PA
kudos:2

1 recommendation

said by jjoshua:

My opinion is that it's not. Supply the pipe and stay out of the security business.
While I respect your opinion, one user's lack of security now can affect many, many other users.
--
JL
Comcast


jjoshua
Premium
join:2001-06-01
Scotch Plains, NJ
kudos:3
Reviews:
·Verizon FiOS

said by jlivingood:

said by jjoshua:

My opinion is that it's not. Supply the pipe and stay out of the security business.
While I respect your opinion, one user's lack of security now can affect many, many other users.
Next time, try to design your networks so it doesn't.


vpoko
Premium
join:2003-07-03
Boston, MA

said by jjoshua:

Next time, try to design your networks so it doesn't.
It's really not accurate to blame that on Comcast. As long as the internet allows TCP/IP endpoints to reach each other, one user's lack of security is going to have a potential impact on other users, especially if those other users aren't using precautions like firewalls.

chimera

join:2009-06-09
Washington, DC
reply to jjoshua

From what I can tell that's exactly what they are trying to do now. The alternative to this sort of message is just knocking the user offline for good and that doesn't actually help users resolve infection issues when they need tools from the internet to do so.



tubbynet
reminds me of the danse russe
Premium,MVM
join:2008-01-16
Chandler, AZ
kudos:1

1 recommendation

reply to jjoshua

said by jjoshua:

said by jlivingood:

said by jjoshua:

My opinion is that it's not. Supply the pipe and stay out of the security business.
While I respect your opinion, one user's lack of security now can affect many, many other users.
Next time, try to design your networks so it doesn't.
i'd suggest you take this up with some of the largest carriers in the world then -- att, verizon, level(3), teliasonera, ntt, globalcrossing, etc. botnets affect everybody (in fact, there have been several times where dslr has been hit by a ddos from a botnet). these attacks are sourced from customer networks (i.e. your lec's and mso's) and attack financial, government, and commercial enterprise networks alike. no one wins from this -- from increased congestion at the node level, increased transit at the carrier end, heavy utilization on routing gear (depending on the type of attack and where it's destination is), and the possible breach of security if the botnet is used to exploit holes within networks with personal information.

comcast is being open and honest regarding their policies, documenting everything with the ietf. of course -- the simple answer is -- if you don't want to see browser injection, don't get pwned in the first place. seems simple, eh?

q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."


jlivingood
Premium,VIP
join:2007-10-28
Philadelphia, PA
kudos:2

1 recommendation

reply to jjoshua

said by jjoshua:

Next time, try to design your networks so it doesn't.
You may want to tell that to the folks who designed the Internet. The problem of bots does not apply only to the Comcast network - it is a massive, global problem.
--
JL
Comcast


jjoshua
Premium
join:2001-06-01
Scotch Plains, NJ
kudos:3
Reviews:
·Verizon FiOS
reply to tubbynet

said by tubbynet:

botnets affect everybody (in fact, there have been several times where dslr has been hit by a ddos from a botnet). these attacks are sourced from customer networks (i.e. your lec's and mso's) and attack financial, government, and commercial enterprise networks alike.
I'm not an expert on botnets and ddos attacks. But from what I've read, I think that a very reasonable and relevant thing to do would be to detect and drop all malformed and/or forged packets at the customer's node. If a node with a specific IP is sending out packets with a forged IP, then there's no better place to stop it.

Why don't we see this type of filtering? Wouldn't this be a good solution to a very specific problem? Is there ever a case where a malformed or forged packet is good?


tubbynet
reminds me of the danse russe
Premium,MVM
join:2008-01-16
Chandler, AZ
kudos:1

said by jjoshua:

I'm not an expert on botnets and ddos attacks. But from what I've read, I think that a very reasonable and relevant thing to do would be to detect and drop all malformed and/or forged packets at the customer's node. If a node with a specific IP is sending out packets with a forged IP, then there's no better place to stop it.
well -- you can't do anything at a "node". this is simply a device that turns the fiber connection into something that can run to the customer's house (i.e. coax). this is simply a passive device. anything that has to happen must occur once it hits a network layer device -- the cmts or some of the ingress routers after the cmts.

additionally -- where are you malforming the packets? who says that a ddos is a malformed anything? they can be as simple as a crafted icmp traceroute packet that expires on a router hop. nothing malformed about that. if you're talking about malformed at the upper layers (osi 5-7), then you're looking at inspecting application data for every single packet on ingress to comcast's network and analyzing them against a database of *everything* that could occur. i'm not sure you'd appreciate the performance hit. how jason is proposing to look at the packets can be peformed at wire-speed (or very near it) and will not cause a significant performance hit on the ingress devices on their network.

q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."


jjoshua
Premium
join:2001-06-01
Scotch Plains, NJ
kudos:3
Reviews:
·Verizon FiOS

Node was possibly not the correct term. Perhaps the cable modem itself would be better.

Would it be hard to drop all packets with forged source addresses? It's clearly not going to stop all ddos attacks but it's going to do more than a notification system that doesn't do anything.



MalibuMaxx
Premium
join:2007-02-06
Chesterton, IN
reply to jlivingood

darn our government is to be blamed aagain EGAD batman!



jjoshua
Premium
join:2001-06-01
Scotch Plains, NJ
kudos:3
Reviews:
·Verizon FiOS
reply to jlivingood

said by jlivingood:

You may want to tell that to the folks who designed the Internet. The problem of bots does not apply only to the Comcast network - it is a massive, global problem.
Al Gore?

Now I'm confused. You are trying to fix the entire internet?

My point was that a bad user on your network should not be affecting a good user on your network.

No user, knowingly or unknowingly, should be able to affect another user.


tubbynet
reminds me of the danse russe
Premium,MVM
join:2008-01-16
Chandler, AZ
kudos:1
reply to jjoshua

said by jjoshua:

Node was possibly not the correct term. Perhaps the cable modem itself would be better.
cable modems are pretty stupid in that regard. to get any real intelligence -- you're going to need to have an ingress policy on the provider's kit.

said by jjoshua:

Would it be hard to drop all packets with forged source addresses? It's clearly not going to stop all ddos attacks but it's going to do more than a notification system that doesn't do anything.
the addresses may or may not be forged. thats the difficulty. in the earlier days, this may have been the case to give the providers a difficult time to mitigate the dos -- to make it look like it was coming from all over when it was really just a specific location/carrier/netblock/etc.
the leading "d" in "ddos" stands for distributed. the issue is that when you start creating policies as a provider that drop traffic from netblocks that are causing grief -- is that when you've got 10,000 different ip's in many different blocks, you start blackholing *all* traffic. obviously, the simple solution would seem to be to just block individual ip addresses, but this becomes cumbersome because they are (a) always fluctuating (b) access-lists on carrier gear have limits, especially if you expect any high-speed transmission. there are optimization techniques that can be used, but the box will take a *major* hit -- if not puke all over itself -- when you make it handle acl's that are 10k-20k lines long. it just won't work.

q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."


tubbynet
reminds me of the danse russe
Premium,MVM
join:2008-01-16
Chandler, AZ
kudos:1
reply to jjoshua

said by jjoshua:

My point was that a bad user on your network should not be affecting a good user on your network.
this is why they're going through the mitigation process and why they are trying to stop all botnet traffic from subscribers through the process outlined in the links provided by jason.

q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."


vpoko
Premium
join:2003-07-03
Boston, MA

1 edit
reply to jjoshua

said by jjoshua:

My point was that a bad user on your network should not be affecting a good user on your network.

No user, knowingly or unknowingly, should be able to affect another user.
What the heck are you talking about? If a user can send packets to another user, then they can affect that user. Depending on what software is on the receiving end of those packets, it can be something pretty nasty. It doesn't even matter if both users are on the same ISP's network, the vector here is TCP/IP.


jjoshua
Premium
join:2001-06-01
Scotch Plains, NJ
kudos:3
Reviews:
·Verizon FiOS

said by vpoko:

If a user can send packets to another user, then they can affect that user.
Obviously. I'm talking about the case where "A"'s service should not be affected if "B" is attacking "C".


vpoko
Premium
join:2003-07-03
Boston, MA

said by jjoshua:

said by vpoko:

If a user can send packets to another user, then they can affect that user.
Obviously. I'm talking about the case where "A"'s service should not be affected if "B" is attacking "C".
Yes, then shared vs. dedicated capacity makes a difference, but the real focus here is protecting "C", who is being attacked by "B", who doesn't even know that he's attacking anyone because his computer is infected.


jjoshua
Premium
join:2001-06-01
Scotch Plains, NJ
kudos:3
Reviews:
·Verizon FiOS
reply to tubbynet

said by tubbynet:

the issue is that when you start creating policies as a provider that drop traffic from netblocks that are causing grief -- is that when you've got 10,000 different ip's in many different blocks, you start blackholing *all* traffic.
I don't think that you understand. I'm suggesting that there should be a way to stop a very specific type of malicious traffic at the source. I'm not talking about filtering at the destination.

AstroBoy

join:2008-08-08
Parkville, MD
reply to jjoshua

said by jjoshua:

said by jlivingood:

said by jjoshua:

My opinion is that it's not. Supply the pipe and stay out of the security business.
While I respect your opinion, one user's lack of security now can affect many, many other users.
Next time, try to design your networks so it doesn't.
Yes, make it so it doesn't. Just block all traffic if a bot is detected.


tubbynet
reminds me of the danse russe
Premium,MVM
join:2008-01-16
Chandler, AZ
kudos:1

1 edit
reply to jjoshua

said by jjoshua See Profile
I don't think that you understand. I'm suggesting that there should be a way to stop a very specific type of malicious traffic at the source. I'm not talking about filtering at the destination.

i do. hence this post above -- »Re: Open can of worms

cable modems are pretty stupid in that regard. to get any real intelligence -- you're going to need to have an ingress policy on the provider's kit.
its not easy to do.

q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."


jjoshua
Premium
join:2001-06-01
Scotch Plains, NJ
kudos:3
Reviews:
·Verizon FiOS
reply to vpoko

said by vpoko:

said by jjoshua:

said by vpoko:

If a user can send packets to another user, then they can affect that user.
Obviously. I'm talking about the case where "A"'s service should not be affected if "B" is attacking "C".
Yes, then shared vs. dedicated capacity makes a difference, but the real focus here is protecting "C", who is being attacked by "B", who doesn't even know that he's attacking anyone because his computer is infected.
I think that you hit the nail on the head with the first part of your statement.

patcat88

join:2002-04-05
Jamaica, NY
kudos:1
reply to chimera

said by chimera:

From what I can tell that's exactly what they are trying to do now. The alternative to this sort of message is just knocking the user offline for good and that doesn't actually help users resolve infection issues when they need tools from the internet to do so.
You get blocked and are told to dial your ISP's CS 800 number or something similar and then through the IVR after listening to a script you can unblock your internet connection. If you don't fix it you get more emails until again your blocked and you have to unlock your connection through the IVR.

patcat88

join:2002-04-05
Jamaica, NY
kudos:1
reply to jjoshua

said by jjoshua:

I'm not an expert on botnets and ddos attacks. But from what I've read, I think that a very reasonable and relevant thing to do would be to detect and drop all malformed and/or forged packets at the customer's node. If a node with a specific IP is sending out packets with a forged IP, then there's no better place to stop it.

Why don't we see this type of filtering? Wouldn't this be a good solution to a very specific problem? Is there ever a case where a malformed or forged packet is good?
Key words, "not an expert", not all traffic can be defined as malicious by any algorithm. A slow normal amount of activity from 1 node towards a website, times 100000 can bring a small to medium site offline instantly. Also algorithmic weaknesses in PHP/ASP/dynamic page generation based website (nearly all sites today) can grind a server to a halt by doing DB heavy things over and over in a loop.

Skippy25

join:2000-09-13
Hazelwood, MO
reply to jlivingood

I am going to have to say I agree with him.

Comcast should concentrate on being what they really are: A dumbpipe. Just provide the DHCP service and route packets as fast as you possibly can. The rest isn't your business.



vpoko
Premium
join:2003-07-03
Boston, MA
reply to jjoshua

said by jjoshua:

I don't think that you understand. I'm suggesting that there should be a way to stop a very specific type of malicious traffic at the source. I'm not talking about filtering at the destination.
And which type of malicious traffic is that?


jjoshua
Premium
join:2001-06-01
Scotch Plains, NJ
kudos:3
Reviews:
·Verizon FiOS

said by vpoko:

said by jjoshua:

I don't think that you understand. I'm suggesting that there should be a way to stop a very specific type of malicious traffic at the source. I'm not talking about filtering at the destination.
And which type of malicious traffic is that?
I was thinking about ICMP flood.


tubbynet
reminds me of the danse russe
Premium,MVM
join:2008-01-16
Chandler, AZ
kudos:1

said by jjoshua:

I was thinking about ICMP flood.
what about tcp syn flooding? crafted sql, rpc, etc. attacks? a botnet isn't just icmp flooding. that is one fraction of *all*botnet attacks that are out there.

q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."


vpoko
Premium
join:2003-07-03
Boston, MA

said by tubbynet:

said by jjoshua:

I was thinking about ICMP flood.
what about tcp syn flooding? crafted sql, rpc, etc. attacks? a botnet isn't just icmp flooding. that is one fraction of *all*botnet attacks that are out there.
Not to mention, how do you decide what's a ping flood? Repeated pings become a DoS attack when the bandwidth of the target is less than the aggregate bandwidth of the source(s) of the attack. I've had occasion to need to run continuous pings on known endpoints (say, Google) while testing for intermittent connection issues. Even though I may have sent thousands of ICMP packets in a short time, it was not an attack.

Ping floods are generally only effective when they're distributed, and if they're distributed then you can't tell just by looking at a single source, whether its an attack.

jjoshua, I suggest you hit the books and learn about networking instead of trying to debate something you don't know much about.


tubbynet
reminds me of the danse russe
Premium,MVM
join:2008-01-16
Chandler, AZ
kudos:1

said by poko :

Ping floods are generally only effective when they're distributed, and if they're distributed then you can't tell just by looking at a single source, whether its an attack.
yes. this is true. however, ping attacks are generally considered "old school". they still occur, but there are much better icmp attacks that affect the route processor much more effectively. these attacks not only cause the processor utilization to spike, but will effectively break control-plane processing (a) limiting the access that a network operations center has to the device and (b) break the control plane of the router such that igp and bgp sessions could be broken and may have to wait in queue until the processor can process the neighbor adjacency packets again.

of course -- this whole argument has been network centric. different issues apply when dealing with end-host protection of servers and applications clusters.

q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."


jjoshua
Premium
join:2001-06-01
Scotch Plains, NJ
kudos:3
reply to tubbynet

Is it not the case that these packets all have forged source IPs?