Date: Thu, 5 Feb 2004 10:36:29 -0000
From: "Paul Murphy" <pmurphy@...ixpharma.com>
To: <bugtraq@...urityfocus.com>
Subject: RE: getting rid of outbreaks and spam (junk)



James Riden wrote:

> Not my area, but I believe most backbone networks are designed to get
> packets from A to B as fast as possible.  Egress filtering at ISPs,
> for both spoofed addresses and email-borne viruses would be a start
> though.

Checking for spoofed addresses is fine in theory, and it would be nice to see
all ISPs doing it as a matter of course in their edge routers.  Most of them
don't do it because it is painful to set up, as it means a different config on
every router - at the moment, most of the edge routers have the same config,
which can be pushed out automatically.

Checking for viruses in traffic going across the backbone is doomed to failure
for exactly the reason that you gave earlier in your post, that signatures are
usually a few hours behind the infection.  Not to mention that all of the
routers on the net would need to be replaced by systems with 400% of the
processing power to perform this task.  Guess the customer ends up paying for
this?

ISPs focus on making profits for their shareholders, and providing a service
which is 10% more secure than their competitors doesn't get them any greater
customer base.  Making it 100% secure is impossible, and would lead to charges
which no-one could afford, so why bother at all?  The problem is at the very end
of the chain - semi-literate users who are too stupid or too lazy or too
ignorant to even realise when their system has been infected, never mind do
something proactive to stop it happening in the first place.  Intrinsically
secure systems would have been a better idea some time ago, but now the stable
door and the horse are both crumbled to dust, and trying to force stable systems
on a world used to macros, downloads, and open e-mail would be a bit like ruling
that all cars must travel at no more than a walking pace with a man in front
waving a flag.  It may be far from perfect, but rewinding the clock is not an
option.

> It would also be good to have ISPs accountable for abuse that
> originates in their networks. But does any government department have
> the resources to do this, even if appropriate laws are in place?

If you make the ISP accountable, they will in turn seek to pass this on to the
customers in their service contract.  So, as an example, on the next major
outbreak, 20% of traffic comes from AOL addresses, and the total cost is
estimated at $2.5 billion (by who?), so AOL are fined $500M - but their (updated
as a result) service contract says that you must ensure that your system is
secure, and if you fail to do so, you will be charged for the damage your system
inflicts.  The damage is traced to 500,000 customer addresses, so each of them
gets hit for $1K.

Net result - customers leave in droves, company collapses, and everyone is back
where we started.  Great idea - force everyone onto the most lax ISP going,
which is probably based somewhere outside of the jurisdiction of your shiny new
legal system, and where a support call is charged at international rates.  Gives
new meaning to the phrase "Where would you like to go today?"

Best Wishes,

Paul.
__________________________________________________
Paul Murphy
Head of Informatics
Ionix Pharmaceuticals Ltd
418 Science Park, Cambridge, CB4 0PA

Tel. 01223 433741
Fax. 01223 433788

___________________________________________________________
DISCLAIMER:
This email and any files transmitted with it are confidential and 
intended solely for the use of the individual or entity to which they
are addressed.  If you have received this email in error please contact
the sender or the Ionix IT Helpdesk on +44 (0) 1223 433741
_______________________________________________________________________

Powered by blists - more mailing lists