« August 2007 | Main | December 2007 »

November 2007 Archives

November 1, 2007

A border approach to bot mitigation

While gathering up my notes for discussing firewall technology for this semester’s course, I started thinking about newer security issues that could be handled by the border or interposition approach of traffic cleansing.

It seems like netbot cleanup would be a good candidate for such a centralized technology. Computers that are open to infection are unlikely to be controlled by technically savvy people. So a client-oriented control is unlikely to be completely successful. However, a control installed by a technical savvy service provider could scan traffic looking for characteristic bot control traffic.

Since the service provider would be unlikely to want to annoy his client presumably, this would be on a track and alert case rather than immediately cutting the customer’s net connection. On suspicion of a remote controlled computer, the service provider could offer to do a scan of the system in question to remove well known infections.

I can see several reasons why this has not yet been done.
  • Given the experience with my home service provider, the depth of technical expertise isn’t there
  • Unless the home service providers are getting negative feedback for hosting bots, there is no upside to going through this bother. Just pissing of your customers without getting anything in return
  • The service provider customer are very price conscious and would not pay for centralized security features. This might explain we home service providers (at least around here) do not offer scanning, firewalling, or spam prevention services.
  • Scanning for bot control traffic may not be feasible. The volume of control traffic would be much smaller than the bot generated traffic. While historically control traffic has been sent over IRC at a fixed port, attackers are getting clever and sending commands over different ports. The specifics of the commands could be easily changed making it difficult to separate commands from real human to human communication. I don’t know enough about today’s bot technology to know how easily it could be detected.

I’m most curious about the second issue. Given what I’ve been reading about the prevalence of bot networks, I would think this would be generating a significant amount of traffic from some service providers. Aren’t they getting negative feedback from upstream service providers and peer providers? Aren’t they getting blacklisted, etc? Or is no one tying back? In the case of address spoofed bot generated traffic doing the tie back would be difficult. But I would assume that much bot generated traffic uses its real address.

Security FUD and chronic infection

I’m periodically struck by now much security research and development is sold by scare talk (fear, uncertainty, and death). Unless you go over the top, you don’t get the news articles, the congressional hearings, or the money. There was a recent video going around that showed security researchers messing with a SCADA system and blowing up a power substation (in a lab) using techniques that are generally known in the community. This got congressional hearings going.

A couple years back, I saw a local researcher present simulation results that showed how two or three simultaneous errors (squirrels, trees, or terrorists) could take down the greater Chicago-land power grid. But simulation results don’t make the news. Real explosions do.

I was talking with a former colleague last week about trusted OS results from a couple decades back that were strongly worded and controversial at the time. He cynically said that the researcher in question made his statements as controversial as possible to ensure that he got attention and thus funding.

In both of these cases, raising attention through showmanship brought broader attention to valid security concerns. So I suppose the ends justify the means. It is just how the game is played.

In any case, while pulling together my network security notes for the semester, I was struck by the amount of FUD in my notes. However, I think much of the concern there is valid. Or perhaps better stated, the concern is chronic. With the IP infrastructure, our problems are chronic. We can incrementally try to make our part of the world better, but ultimately there will be infections, attacks out there. There is a shared resource out there, and by sharing we are exposing ourselves to the threat. Like getting lice by sharing a hair brush.

Perhaps we could just switch over to a newly designed, better network infrastructure. But it isn’t going to happen. Not anytime soon anyway. Still waiting for IPv6 ten years later. Even in that case, there would be threats. With the shared network, you are at the mercy of the least prepared or least savvy connected entity.

No deep observation here really. Just noting that the biological analogies fit here with respect to chronic infectious diseases.

About November 2007

This page contains all entries posted to Trustworthy Thoughts in November 2007. They are listed from oldest to newest.

August 2007 is the previous archive.

December 2007 is the next archive.

Many more can be found on the main index page or by looking through the archives.

Powered by
Movable Type 3.34