Broadband routers and botnets - being proactive

Florian Weimer fw at
Sun May 13 08:58:36 UTC 2007

* Suresh Ramasubramanian:

> As frequent as Gadi is with his botnet posts, insecure and wide open
> CPE getting deployed across a large provider is definitely
> operational.

And if Gadi's examples are not scary enoug for you, there are far more
relevant vulnerabilities.

It seems that the organization that assembles most of the firmware on
those CPEs just takes the Sourceforge project with the smallest
footprint they can find to implement a particular task.  Not even a
cursory code review takes place.  As most of the software is GPLed,
not just the firmware provider, but also the hardware manufacturer and
the ISP itself could stop the deployment until the most egregious bugs
have been fixed.  Of course, you could argue that if Microsoft and
Debian don't do this, why should ISPs?  To me, the answer is that
shipping vulnerable software is state of the art, but only if there is
some kind of patch management appendix.

Fortunately, there is a simple solution to this kind of problem: ISPs
are very likely liable if they fail to alert customers about security
problems, and do not provide updates in a timely manner.  After a few
painful incidents, the ISPs will learn, and either ship better
software (unlikely) or implement some kind of patch management.  With
a bit of luck, the latter does not just shift back liability back to
the customer, but also helps to parly solve the problem (in the sense
that CPE attacks are less attractive).

More information about the NANOG mailing list