2006.06.07 NANOG-NOTES Smart Network Data Services

• Previous message (by thread): 2006.06.06 Net Optics Learning Center Presents Passive Monitoring Access
• Next message (by thread): 2006.06.07 NANOG-NOTES Smart Network Data Services
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

(I'm starting to guess I'd finish sending these out faster if
I stopped falling asleep on my keyboard so often... --Matt)


2006.06.07 Welcome to Wednesday morning

http://www.nanog.org/
click on Evaluation Form
Let us know how the M-W vs S-Tu
format; next time will be S-Tu due to ARIN
joint meeting, but need more feedback!

Bill Woodcock, been on program committee

And lightning talk people need to send their
slides to Steve Feldman!!

Elliot Gilliam,
ISP community, notifications to
Smart Network Data Services
[slides are at
http://www.nanog.org/mtg-0606/pdf/eliot-gillum.pdf

AGENDA
postmaster services
SNDS
 problem
goal
today
tomorrow
motivation
feedback/dialog
questions/discussion

Postmaster--starting point for any issues you have
 sending mail into Hotmail/MSN Live.
 It's like AOL skunkfeed, you can do junk mail
  reporting.
 Lets you see what bad stuff is coming from your
  domain.
SenderID

Site is at:
http://postmaster.msn.com/snds/

Problem:
bad stuff on the internet (spam, phishing, zombies,
 ID theft, DDoS)
 makes customers unhappy.
Solution #1 -- try to stop it before it hits customers
 doesn't really *solve* the problem
Solution #2 -- take what we learn, apply it upstream,
 get more bang for buck
#2: #1 is too low

ISP-centric efficiency
solution #1, n ISPs have n-1 problems, total is O(n^2)
n ISPs have 1 problem (themselves), total is O(n)

reduces work of the overall system.

Crux
today people and ISPs are measured by how much BAD stuff
  they *receive*
 Not judged by what they send out.
 similar to healthcare industry
  no tight feedback loop to ISP behaviour
nice quotes on slides
 http://www.circleid.com/posts/how_to_stop_spam

7 step program (like 12 step, but shorter)
1: recognize the problem:               SNDS
2: believe that someone can help you :  Me
3: Decide to do something :             You
8: Make an inventory of those harmed :  SNDS
9: Make amends to them :                Tools
10: Continue to inventory :             SNDS
12: Tell others about the program  :    You

What is SNDS
Website that offers free, instant access to MSN
 data on activity coming from your IP space
  data that correlates with "internet evils"
  informs ISP to enable local policy decisions
Automated authorization mechanism
 uses WHOIS and rDNS
 users are people not companies
A force multiplier attempt.

You can do it on your own, no need to sign up
your company officially as long as you're an
rWHOIS/WHOIS contact.

SNDS goal:
provide info which allows ISPs to detect and fix any
 undesired activity.
 qualitative and quantitative data
"No ISP left behind"
stop problems upstream of the destination
Bring total cost of remediation to absolute minimum
 keep service free
Make internet a better place.

We have data!
Windows Live Mail/MSN Hotmail is a spam and spoofing
 target.
4 billion inbound mails/day
  90/10 spam/ham by filtering technologies
 User reports on spam, fraud, etc.

Inbound mail system slide--ugly to read, too dark.

SNDS website slide shown.
You can see daily aggregated traffic from your network;
activity periods, IPs, commands and messages seen on
port 25, samples of exchanges.
Filter results on your mail
rate at which users press "this is junk" on your mail.
Trap counts for when IPs hit their junk filters.
comments column is catch-all for anything else they
 might put in; like open proxies, when tested positive.
"export to CSV" button, so you can feed the data in
 to your own systems if you want.

Today's Scenario
Illustrate magnitude and evidence of a problem.
 additional resources
 monitoring infrastructure

SNDS Stats
2500 users
 mostly senders
67 million IPs
 10-20% of inbound mail and complaints

Output drops by 57% on /24+ when monitored by SNDS

SNDS tomorrow
Usability
 signup by ASN
 better support for upstream providers
 access transfer
Utility
 programmatic access
Data
 virus-infected emails
 phishing
 honeymonkey
 sample messages
Expand the the coverage, try to hit more of the problems
 on the net.
Provide sample messages, compelling evidence when facing
 customers
This hasn't shipped yet, it's what he's hoping to
have in a month or two.

Tomorrow's Scenarios
Lowered
 barrier to entry
 recurring "cost"
ISP  types
 end-user
 tier 1/2 monitoring, tier 2/3
directly attack more than just spam
 virus emails -> infected PCs, outbound virus filters
 phishing/malware hosting -> takedowns.

Is asymmetric routing a sign of people trying to
 launch hidden abuses of the net?
Looking to hit more issues, like spotting virus-laden
 messages; either infected, or an open relay.
Hoping that automation speeds response.

Safety Tools
Stinger: http://vil.nai.com/vil/stinger
Nessus: http://www.nessus.org/
[oy, read the list from his slide, it's long.]
green items on the list are free, others are pay-for
 products.
Pay-for isn't necessarily a bad thing if you get
 benefit!

Safety tool breakdown from MSN on next slide.

Motivation:
Hypothesis: everyone benefits
Customers:
 infected uses get fixed
 safer, cheaper, better internet experience
ISPs
 solution #1 isn't solving the problem
 altruistic is the "new" selfish
Microsoft
 only benefits if everyone else does

make business case why they're doing this.
They need to stop paying costs of trying to
deal with spam.
Wants to get benefit of being one of the people
 seeing a cleaner internet

ISP Motivation
Customers
 they're unhappy, unsafe
 they like people who fix that
   be the hero
   retain customers
   win new ones
 fixing has more benefits than bandaging
  [bandaging is just sticking fingers in the dike, it
  doesn't scale, eventually we run out of fingers to
  stick in the holes]
cost reductions
 bandwidth--slow growth demands
 support--fewer complaints to your help desk.
Community
 NANOG

Motivation alternatives
Industry scorecard
 public recognition
 public shame
Logo ISP program--how clean are you?

Business case
Some nice quotes from different people around the
business case needed here.
appeal to cost reduction and revenue generation
this is starting to happen.

let your sales and marketing people know about
this.
Boston university business case, students arriving
with computers presented danger/load to their
help desk.
Qwest provides windows/one software to their
users.

Feedback:
usability--how easily can you work with it?
utility--what can you do?
what's missing
 tools to aid customer remediation
need IPv6 support at some point
how do ISPs see cost vs benfits
 costs, benefits, NANOG aggregation
how do we get critical mass?
 msn-snds at microsoft.com

Discussion:
How does SNDS fit into the larger ecosystem
 relationship to
  senderBase.org
  SCOMP/JMRP
  REACT
  adam, rick at support intelligence
  Yahoo is working on a system like this, Irene Lai is
   here to work on that, email her if you're interested.
 Should/how do other ISPs provide this?
  common schema, authorization, authentication
  federation, delegation, aggregation

Forum
 bof/track?
 NANOG/MAAWG?
 Mailing list: upstream at mipassoc.org

Conclusion:
http://postmaster.msn.com/
http://postmaster.msn.com/snds/
Try it!
tell people about it!

Q: Matt asks whether Microsoft will point their
own systems at it, since Nick Feamster's presentation
showed on slide 12 that Microsoft was #10 on the
list of spam *sources* that his honeypots saw?
A: Yes, he is connecting the systems that track
mail sending from Hotmail to this as well, so that
they can start making sure they're cleaning their
own house as well.

on to next talk.

• Previous message (by thread): 2006.06.06 Net Optics Learning Center Presents Passive Monitoring Access
• Next message (by thread): 2006.06.07 NANOG-NOTES Smart Network Data Services
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]