Operation Ghost Click

Livingood, Jason Jason_Livingood at cable.comcast.com
Tue May 1 19:41:35 UTC 2012

On 5/1/12 3:19 PM, "Valdis.Kletnieks at vt.edu<mailto:Valdis.Kletnieks at vt.edu>" <Valdis.Kletnieks at vt.edu<mailto:Valdis.Kletnieks at vt.edu>> wrote:

On Tue, 01 May 2012 10:40:57 -0400, Rich Kulawiec said:

Why haven't you cut these obviously-infected systems off entirely?

There's quite likely multiple systems behind a NAT-ish router, and Comcast doesn't have any real option but to nuke *all* the systems behind the router.
This can be a tad troublesome if there's one infected box behind the router, but the customer is also using VoIP of some sort from another box - you may just have nuked their 911 capability. Or if they have multiple systems, you may have killed their ability to transact basic business like contact their local government or pay their utility bills from a box that's not infected.

All of this above! Plus, the remediation tools to clean up an infection are insufficient to the task right now. Better tools are needed. (See also http://tools.ietf.org/html/rfc6561#section-5.4)


More information about the NANOG mailing list