ICANN ICANN Email List Archives


<<< Chronological Index >>>    <<< Thread Index >>>

Re: [gnso-ff-pdp-may08] How are Internet users affected by fastflux hosting?

  • To: Joe St Sauver <joe@xxxxxxxxxxxxxxxxxx>, "wendy@xxxxxxxxxxx" <wendy@xxxxxxxxxxx>
  • Subject: Re: [gnso-ff-pdp-may08] How are Internet users affected by fastflux hosting?
  • From: Dave Piscitello <dave.piscitello@xxxxxxxxx>
  • Date: Sat, 12 Jul 2008 08:46:10 -0700


It's safe to say that no single security measure offers relief from spam. 
Rather than say, "one major problem with blocking port 25 is that it only 
provides relief for one symptom of
being botted", I prefer to think of it as providing one less vector for 
attacks, or making it a tad harder to attack.

I've always believed that until you address the endpoint security problem, 
including source/origin address validation as we have in the telephone network, 
you are essentially applying bandaids to severed femeral arteries.

If you read SSAC's fast flux advisory, I call particular attention to the 
endpoint security issue, and injected my personal belief that network admission 
control must be part of the solution set. I see no reason why this group cannot 
take a queue from SSAC's advisory. There is ample anecdotal evidence from 
enterprises and educational institutions that have implemented Cisco NAC that 
"it helps, A LOT!"

So now you have a second to your suggestion. We only need a dozen or so more...

On 7/12/08 11:38 AM, "Joe St Sauver" <joe@xxxxxxxxxxxxxxxxxx> wrote:

Hi Wendy!

You mentioned (w.r.t. ISPs closing port 25 to block spam) that:

#This step worries me.  Closing port 25 may stop some spam, temporarily,
#but at the cost of depriving a whole class of Internet users of the
#ability to be full peers.  Instead of getting Internet service, they
#find themselves able to get only "Internet lite," or, if they're lucky,
#getting to pay more for "premium tiers of service."  The ISP is making
#presumptions about what "Internet" is, and those presumptions are wrong
#and limiting for users who want to run their own services.

Keep in mind, I can report what people are doing, without agreeing with
it. :-) If you'd like *my* perspective on the issue, I've got a March
2005 talk entitled "Dealing with Zombies and Trojans and Port 25," see
http://www.uoregon.edu/~joe/port25.pdf which includes the comment that
"blocking port 25 is cough syrup for lung cancer."

As I mentioned then (and continue to believe) one major problem with
blocking port 25 is that it only provides relief for one symptom of
being botted (e.g., spam sent direct to MX), while failing to address
the underlying condition (the box has been compromised, dang it!).

Because suppressing the symptom does not cure the underlying condition,
the bad guys are not kept from doing badness, they're just shifted from
one sort of badness (e.g., spamming direct to MX) to other sorts of
badness. The fact that we're having a discussion about fastflux hosting
is proof that my prediction is being realized.

And yet, I'd be willing to *bet* that one of the recommendations that
will NOT come out of this group's work is,

   "Attack the fastflux problem by working to secure compromised
    consumer PCs."

Love to be proven wrong on that one, but I'm not holding my breath. :-)

The reality is that many have given up on the sisyphean task of securing
the world's vulnerable PCS before that effort has really begun! (Again
looking at the spam world for analagous examples, how many people still
bother to report spam, eh? I've got Yet Another Talk I'm working on for
this fall entitled, "The More You Spam Me, The Less I Care," looking at
how our mental decision making rubrics impact our system and network
security behaviors in unexpected ways...)

#As we've seen, this does not stop the flow of spam email, although that
#may slow until abusers find other routes.  It does, however, block
#legitimate users from having full Internet access.

I'd capture that thought as, "We're losing Internet transparency," and
that's very true. In fact, that was one of the themes of my talk,
"Cyberinfrastructure Applications, Security and Advanced Applications"
from this past April, see

Quoting from slide 18,

   "Rather than having a transparent end-to-end pipe,
    today's application programmer knows that they must
    potentially navigate a network encrusted with layers
    of firewalls, antivirus gateways, traffic shapers,
    proxies, and other active network security devices.
    Instead of being a content agnostic "dumb pipe," the
    network has become a very content-aware and very nosy
    participant in the delivery (or NON-delivery!) of network

   "In other cases, the network is neither a dumb transparent
    pipe no ran intelligent active network participant, it may
    simply intentionally not work at all. Some traffic intended
    for external hosts may be completely blocked, or that traffic
    may be involuntarily redirected without any notice to a local
    server. This is increasingly true when it comes to email
    traffic which may be blocked for anti-spam reasons if it isn't
    sent through the institution's email server, and more recently,
    DNS traffic has also been the subject of blocking or redirection
    in an effort to cope with DNS-changing malware. [talk continues]

#I think we have to guard against assuming that the Internet applications
#and uses of today are the only ones that will be important in the future.

With you 100% on that. Heck, I can even remember when regular users
had shell access, and they knew about Usenet, and "the (whole) Internet"
and "the Web" weren't synonymous. :-)

#I'm not defending the use of compromised machines, but I'm trying to
#ward off solutions to one problem that create new problems of their own.
#I appreciate your discussion of some of those difficulties.

I certainly share your concerns, and as you'll see if you look at
the "Cyberinfrastructure Applications, Security and Advanced Applications"
talk, I think a lot of people are already beginning to feel the pain
caused by their own tactical choices, choices which may have been made
without considering strategic impacts.

The fact that I felt compelled to recommend the establishment of "network
usability officers" to balance network security officers should tell you
something about how bad things can get. :-;

Hope y'all have a nice weekend,



<<< Chronological Index >>>    <<< Thread Index >>>

Privacy Policy | Terms of Service | Cookies Policy