botnets: web servers, end-systems and Vint Cerf [LONG, sorry]
Simon Waters
simonw at zynet.net
Mon Feb 19 14:04:13 UTC 2007
On Monday 19 February 2007 13:27, you wrote:
>
> people consider this to be a Windows malware problem. I consider it to
> be an email architecture problem. We all know that you need hierarchy to
> scale networks and I submit that any email architecture without
> hierarchy is broken by design and no amount of ill-thought-out bandaids
> will fix it.
I look forward to your paper on "the end to end concept, and why it doesn't
apply to email" ;)
I'm not convinced there is an email architecture problem of relevance to the
discussion. People mistake a security problem for its most visible symptoms.
The SMTP based email system has many faults, but it seems only mildly stressed
under the onslaught of millions of hosts attempting to subvert it. Most of
the attempts to "fix" the architecture problem so far have moved the problem
from blacklisting IP addresses, to blacklisting domains, or senders, or other
entities which occupy a larger potential space than the IPv4 addresses, which
one can use to effectively deal with most of the symptom. In comparison,
people controlling malware botnets, have demonstrated their ability to
completely DDoS significant chunks of network, suggesting perhaps that other
protocols are potentially more vulnerable than SMTP, or more approrpiate
layers to address the problem at.
We may need a trust system to deal with identity within the existing email
architecture, but I see no reason why that need be hierarchical, indeed
attempts to build such hierarchical systems have often failed to gather a
critical mass, but peer to peer trust systems have worked fine for decades
for highly sensitive types of data.
I simply don't believe the higher figures bandied about in the discussion for
compromised hosts. Certainly Microsoft's malware team report a high level of
trojans around, but they include things like the Jar files downloaded onto
many PCs, that attempt to exploit a vulnerability that most people patched
several years ago. Simply identifying your computer downloaded (as designed),
but didn't run (because it was malformed), malware, isn't an infection, or of
especial interest (other than indicating something about the frequency with
which webservers attempt to deliver malware).
More information about the NANOG
mailing list