Broadband routers and botnets - being proactive

Joel Jaeggli joelja at
Sun May 13 20:12:03 UTC 2007

Sean Donelan wrote:
> On Sun, 13 May 2007, Florian Weimer wrote:
>> Fortunately, there is a simple solution to this kind of problem: ISPs
>> are very likely liable if they fail to alert customers about security
>> problems, and do not provide updates in a timely manner.  After a few
>> painful incidents, the ISPs will learn, and either ship better
>> software (unlikely) or implement some kind of patch management.  With
>> a bit of luck, the latter does not just shift back liability back to
>> the customer, but also helps to parly solve the problem (in the sense
>> that CPE attacks are less attractive).
> It won't solve the problem.  ISPs will simply stop distributing CPE, and
> tell customers to buy CPE from their nearest electronics store (Best
> Buy, Radio Shack, or the equivilent in other countries).  If you thought it
> was hard getting ISPs to patch CPE, try getting electronics stores to
> patch the CPE.  Look at the ancient bugs in D-Link, Linksys, Netgear boxes
> that consumers haven't figured out how to patch for years.
> You really need to identify the sources and fix it there.

When your cpe costs $50 (to the consumer) it's not worth anyone's time
(consumer, isp, manufacturer, store that sold it etc) to patch/upgrade
the thing. If it's broken enough they'll eventually buy another one. or
they'll buy another one because they decide they need some wazoo new
feature, (802.11n, gigabit ethernet, p2p support, hard-disk etc)... The
trick is insuring that when they do buy another one it;s tangibly better
than the old one.

Even if your cpe costs more (cisco 8xx) it's still not worth patching it
if that is going to require external support (first time you call the
tac you blow the profit on a cisco 800).

Just remember, very few of these cpe devices existed 5 years ago, the
probability that the same one's will be in use in 5 years seems pretty low.

Deliver a compelling new technology platform and the users will upgrade
en-masse (50mbit vdsl, ftfh, docsis 3 cable modems, fixed wimax, etc)

It's my opinion that access isp's need to get out of the business of
selling/delivering cpe because frankly the consumer will probably spend
more on features and so forth, than the isp will when they lease you
some crappy actiontec dsl router for 3-bucks a month. The isp's shoot
themselves in the foot by shoveling the cheapest cpe they can out the
door when the consumer would probably go out and pay for it if they felt
like they weren't getting jacked.

More information about the NANOG mailing list