botnets: web servers, end-systems and Vint Cerf

Fri Feb 16 05:57:43 UTC 2007

On Thu, 15 Feb 2007 21:54:00 CST, Gadi Evron said:

> > And the fact that web servers are getting botted is just the cycle of
> > reincarnation - it wasn't that long ago that .edu's had a reputation of
> > getting pwned for the exact same reasons that webservers are targets now:
> > easy to attack, and usually lots of bang-for-buck in pipe size and similar.
> 
> You mean they aren't now? Do we have any EDU admins around who want to
> tell us how bad it still is, despite attempts at working on this?

OK, I'll bite. :)

We point them at info:

http://www.computing.vt.edu/help_and_tutorials/getting_started/students.html

and give them a free CD that does all the heavy lifting for them:

http://www.antivirus.vt.edu/proactive/vtnet2006.asp

(And if you live in the dorms, the CD is *sitting there* on the table when
you get there - and the network jack has a little tape cover that reminds
them to use the CD first...)

Oh, and they also get to attend our "Don't be an online victim" presentation
during orientation, and most (if not all) of the residence halls have their
own official resident tech geek (it's amazingly easy to find people who
are willing to help people on their floor in exchange for a single room
rather than double ;)

And after all that, at any given instant, there's probably several dozen botted
boxes hiding in our 2 /16s - there's a limit to what you can do to stop users
from getting themselves botted when it's their box, not yours.  And there's
political expediency limits to what you can do to detect a botted box and take
action before it actually does anything.

What's changed over the past few years is that a number of years ago, the
end-user part of the Internet was /16s of .edu space with good bandwidth
interspersed with /18s of dial-up 56K modem pools, so .edu space was an
attractive target.  Now the /18s of dial-ups are /12s of cablemodems and DSL,
and *everyplace* is the same attractive swamp that .edu's used to be.

And most ISPs don't provide in-house tech support and an orientation lecture
when you sign up - though some *do* provide the free A/V these days. :)

Bottom line - there's cleaner /16s than ours. There's swampier.  What's changed
is that in addition to Joe Freshman being online, Joe's parents and kid sister
are online too. I have *some* control over Joe - the other 3 are Somebody
Else's Problem, and all I can do is hope they use an ISP that's learned that
you can actually get a positive ROI on up-front investing in security.
Unfortunately, Vint tells me that 140 million of them are all over at that
*other* ISP. ;)

> Dorms are basically large honey nets. :)

Are there any globally-routed /24s that *aren't*, these days? ;)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20070216/8d6b14b4/attachment.sig>