Destructive botnet originating from California (was Japan)
Barrett G. Lyon
blyon at prolexic.com
Mon Dec 26 16:20:27 UTC 2005
On Dec 25, 2005, at 7:21 PM, Jon Lewis wrote:
>
> On Sun, 25 Dec 2005, Barrett G. Lyon wrote:
>
>> I would have sent out a clean list sorted via AS and IP, except I
>> have been working from vacation on GPRS via my 1 bar of service on
>> my cell phone.
>
> What's vacation?
>
> I gather Prolexic isn't a one man shop. Nobody else had a better
> internet connection and a few minutes to tidy up the data and make
> the post?
There are special considerations that should be taken while posting
public data, so I take responsibility for public postings. Our team
makes sure everything else is running usual, in the future I would
like to formulate an internal policy and structure that helps us
correctly post data on public forums without my involvement.
> IANAL either, but if I steal your car and run someone over with it,
> are you liable? Should you be? Computers are "stolen" or at least
> commandeered on the internet at an alarming rate because those who
> do it know that odds are, they won't get caught. And if they are
> caught, odds are, nothing will happen. And there's apparently
> considerable profit in the sale of commandeered systems or services
> provided by them. I doubt you'll get anywhere trying to make an
> example of someone who's system was hacked or even just "used
> improperly". I really don't think this problem can be solved by
> scaring sysadmins or corporations. There will always be security
> holes.
If they have had notice about the problem and that the problem may
damage or cause harm to others then the question is; Did they act as
a reasonable service provider? If they failed to act as a reasonable
service provider to the compromised machine, then they are negligent.
In your car situation, if you know your car has been stolen, or if
you have the ability to prevent it, then you could possibly be
negligent. If you left a car with the engine running and the keys in
it, and you left it in a grammar school playground and your example
happens, you are negligent.
If we contract an ISP and tell them about a machine that is causing
harm, and we provide correct documentation, and they choose to do
nothing about it. I would say they are a negligent ISP and could be
open for litigation.
We have a couple huge bank customers, they refused to use any
mitigation methods that involve syn-cookes because of the liability
that causes. They were so concerned that a SYN flood would be
relayed off a syn-cookie "guard" and be used to attack a competitor
as well. Their legal teams refused to take the liability because
that case would have had to be settled for a huge sum of money. As a
result they looked for solutions that do not use syn-cookes to defend
against syn floods.
If an ISP knew they could be found negligent then the community that
uses Arbor and other techniques to detect inbound attacks may use it
to detect and stop outbound attacks as well. I think it would raise
the bar of responsibility and responsiveness. Otherwise, we will
just sit and bitch about problems until there is a better protocol
than the old one we use now.
-Barrett
More information about the NANOG
mailing list