Reply to post: Re: Previous Reports

Battle of the botnets: My zombie horde's bigger than yours

Lee D

Re: Previous Reports

So creating another type of DoS for the customers that are paying for the service, and the potential for making it look like someone should be blocked and thus getting them kicked off the Internet "for larks".

It's not a plan that would work long-term.

The real issue is that computer security is still just a bolt-on, rather than inherent to a design.

Personally, as an ISP, I'd be flagging data for all customers, and providing them with some kind of stat portal/alert system for them to use. My old ISP used to warn if it detected ANY traffic on port 139 (even intercepting web pages to tell you). There's no reason you can't do that and warn with "Your connection is recorded as being seen as part of a botnet", yes, possibly intercepting HTTP until people get the message.

But even voluntary users won't stop DDoS happening. Only computer security.

The further we go down the road, the more a DDoS just looks exactly like a certain service/website became popular, and it's impossible to categorise a particular packet at the ISP end as malicious, without being the target of it all. How do you distinguish a million computers accessing Windows Update from a million hacked computers trying to DDoS Windows Update with the same kind of packets with the same kind of information? You can't.

The fix is to stop programs and devices being "on the network" and "able to do everything" by default. Every home router has the equivalent of "iptables -A OUTPUT -o eth0 -d 0.0.0.0/0 -j ACCEPT" as their only outgoing rule. If you just knocked that down to having to authorise devices, you'd knock a load of stuff off (e.g. IP cameras that can go online but don't need to). Give only basic web access to devices by default, and you cut out a load of NTP etc. attacks and it's as simple as "this device is requesting NTP on the day you installed it, do you want to allow that?" to make it work as expected. And then any LATER change is suspicious and by which time the users will have forgotten what to do about it. Hell, include IP/DNS whitelisting for the necessary items, just like software firewalls do, and you can make sure the CCTV can talk to the mobile transcoding service but not spam people with emails, or Microsoft with pretending to be Windows Update or whatever.

"accept all" is the problem here, and it's been stupid since day one to trust the internal network so implicitly on a consumer-level home network.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021