Broadband routers and botnets - being proactive

Sean Donelan sean at
Sun May 13 18:06:37 UTC 2007

On Sun, 13 May 2007, Florian Weimer wrote:
> Fortunately, there is a simple solution to this kind of problem: ISPs
> are very likely liable if they fail to alert customers about security
> problems, and do not provide updates in a timely manner.  After a few
> painful incidents, the ISPs will learn, and either ship better
> software (unlikely) or implement some kind of patch management.  With
> a bit of luck, the latter does not just shift back liability back to
> the customer, but also helps to parly solve the problem (in the sense
> that CPE attacks are less attractive).

It won't solve the problem.  ISPs will simply stop distributing CPE, and
tell customers to buy CPE from their nearest electronics store (Best Buy, 
Radio Shack, or the equivilent in other countries).  If you thought it
was hard getting ISPs to patch CPE, try getting electronics stores to
patch the CPE.  Look at the ancient bugs in D-Link, Linksys, Netgear boxes
that consumers haven't figured out how to patch for years.

You really need to identify the sources and fix it there.

More information about the NANOG mailing list