SP's & network security issues

Christian Kuhtz ck at arch.bellsouth.net
Thu Aug 9 04:34:35 UTC 2001



Hey there,

so, you want to be a good citizen and stewart of the inet.  DDoS and security
after security attack happens, it won't ever stop.  You try to do the best you
can to effectively respond to it.  You try to inform you customers.  You try
to educate them.  Yet, you realize that you're not doing enough...

What do the rest of you SPs actually do to combat this threat? 

How do you keep the hype, fear, panic and dispair of your management team
(all the way to the CEO) in check?  And that of your customers?  Some of it
is sometimes warranted.. but, got any ideas for crowd control?

In our case, we have several hundred thousands of DSL customers today, and the
million plus subscriber mark is on the engineering horizon.  The problem of
security threats & resulting incidents is going to get considerably worse 
before it gets better.  And that's for at least two reasons.. the ramp up of
broadband and presumably the declining sophistication of the subscriber 
population as a result of the greater market penetration.

Sure, you can try to teach your subscribers to protect themselves.  But this is
really not the answer.  How many unsophisticated subscribers are going to be
able to do this in an effective and timely manner?

What do you do in response?

How do you effectively scale the massive support effort need for collaborative
marketing of personal firewalls and the potential for false positives and 
negatives?  Any ideas on the legal exposure of security services?

Like, in the current case, several providers have resorted to blocking port 80
to their non-DIA subscriber base.  Is this really scalable?  Obviously not for
every threat.  You can't effectively keep this up with the myriad of threats.
Or can you?

Is it realistic to be able to maintain your own NIDS patterns with the help of
your own staff and public resources?  Are options like security service
providers the only workable option?  Do they work at all?  How effective are 
they?  IDS will obviously only work against known threats.. how do you create
an effective early warning system?  How do you provide effective vaccination
against an unknown threat?

How do you respond to potentially massive infections of your subscriber base?
Potential zombie manifestations in the 100k's are easily possible.  They 
really do make Code Red's impact to date seem more like a case of a mild flu
than any serious infection.

So, you do have a responsibility to your customers to protect them.  To what
extent is this realistic, though?  Doesn't this also bear the risk of false 
security or even potential legal liabilities?  How do you manage this risk?

You do have also a responsibility to "protect" the rest of the world from 
zombie gatherings among your subscribers.  Same questions apply.

So, I think it's clear that something needs to be done, but coming up with a
definitive plan of attack is everything but trivial.

This obviously doesn't just apply to DSL, it applies to Cable and whatever
other broadband networks are out there or will evolve...

We want to be a good stewart and citizen of the inet, yet, these questions are
tough to answer in any satisfactory way it seems.  

(Yes, I've taken some of these questions to various security forums from time
 to time, but none of them seem to represent a significant number of SPs; 
 suggestions are very welcome).

I'm sure this isn't a comprehensive list.. but, perhaps, it'll get a useful
conversation going.  Hey, I can hope, right?

Cheers,
Chris

-- 
Christian Kuhtz <ck at arch.bellsouth.net> -wk, <ck at gnu.org> -hm
Sr. Architect, Engineering & Architecture, BellSouth.net, Atlanta, GA, U.S.
"I speak for myself only."



More information about the NANOG mailing list