Dutch ISPs to collaborate and take responsibility

Rich Kulawiec rsk at gsp.org
Fri Oct 9 10:05:39 UTC 2009

On Wed, Oct 07, 2009 at 06:25:53AM -0700, Owen DeLong wrote:
> Additionally the problems of DDOS sourced from a collection of  
> compromised hosts could be interfering with someone else's ability
> to make a successful VOIP call.

Much more than that: they could be interfering with the underlying
infrastructure, or they could be attacking the VOIP destination,
or they could be making fake VOIP calls (see below), or they could
be doing ANYTHING.  A compromised system is enemy territory, which is why:

> This blocking should be as narrow as possible.

Blocking should be total.  A compromised system is as much
enemy-controlled as if it were physically located at the RBN.  Trying
to figure out which of externally-visible behaviors A, B, C, etc.
it exhibits might be malicious and which might not be is a loss,
doubly so given that many of the attacks launched by such systems
are of a distributed nature and thus are very difficult to infer
solely by observation of one system.  Moreover, there is no way to
know, given a current observation of behavior A, whether or not
behavior B will begin, when it will begin, or what it will be.

For example, there's no way to know that a supposed VOIP call to
911 from that system is actually being made by a human being.
It's certainly well within the capabilities of malware to place
such a call -- and abuses of 911 in efforts to misdirect authorities
are well-known.  (See "swatting".  And note that nothing stops a botnet
equipped with appropriate s/w from launching a number of such calls
in sequence, with what I think are predictable consequences.) 

The bottom line is that once a system is compromised, all bets are off.
Nothing it does can be trusted by anyone: not its *former* owners, not
the network operator, not anyone in receipt of its traffic.  So the
only logical course of action is to cut it off completely, as quickly
as possible, and keep it that way until it's properly fixed.  (Which
of course involves booting from known-clean media, restoring apps from
known-clean sources, scanning all user data, etc.  Booting from
known-infected media is an obvious and immediate fail.)


More information about the NANOG mailing list