Re: [gnso-ff-pdp-may08] How are Internet users affected by fastflux hosting?

[Joe St Sauver <joe@xxxxxxxxxxxxxxxxxx>]

Hi Wendy!

You mentioned (w.r.t. ISPs closing port 25 to block spam) that:

#This step worries me.  Closing port 25 may stop some spam, temporarily,
#but at the cost of depriving a whole class of Internet users of the
#ability to be full peers.  Instead of getting Internet service, they
#find themselves able to get only "Internet lite," or, if they're lucky,
#getting to pay more for "premium tiers of service."  The ISP is making
#presumptions about what "Internet" is, and those presumptions are wrong
#and limiting for users who want to run their own services.

Keep in mind, I can report what people are doing, without agreeing with
it. :-) If you'd like *my* perspective on the issue, I've got a March
2005 talk entitled "Dealing with Zombies and Trojans and Port 25," see
http://www.uoregon.edu/~joe/port25.pdf which includes the comment that
"blocking port 25 is cough syrup for lung cancer." 

As I mentioned then (and continue to believe) one major problem with
blocking port 25 is that it only provides relief for one symptom of 
being botted (e.g., spam sent direct to MX), while failing to address
the underlying condition (the box has been compromised, dang it!).

Because suppressing the symptom does not cure the underlying condition,
the bad guys are not kept from doing badness, they're just shifted from
one sort of badness (e.g., spamming direct to MX) to other sorts of
badness. The fact that we're having a discussion about fastflux hosting
is proof that my prediction is being realized. 

And yet, I'd be willing to *bet* that one of the recommendations that
will NOT come out of this group's work is,

   "Attack the fastflux problem by working to secure compromised
    consumer PCs."

Love to be proven wrong on that one, but I'm not holding my breath. :-)

The reality is that many have given up on the sisyphean task of securing
the world's vulnerable PCS before that effort has really begun! (Again
looking at the spam world for analagous examples, how many people still
bother to report spam, eh? I've got Yet Another Talk I'm working on for 
this fall entitled, "The More You Spam Me, The Less I Care," looking at 
how our mental decision making rubrics impact our system and network
security behaviors in unexpected ways...)

#As we've seen, this does not stop the flow of spam email, although that
#may slow until abusers find other routes.  It does, however, block
#legitimate users from having full Internet access.

I'd capture that thought as, "We're losing Internet transparency," and
that's very true. In fact, that was one of the themes of my talk,
"Cyberinfrastructure Applications, Security and Advanced Applications"
from this past April, see
http://www.uoregon.edu/~joe/architectures/architecture.pdf

Quoting from slide 18,

   "Rather than having a transparent end-to-end pipe, 
    today's application programmer knows that they must 
    potentially navigate a network encrusted with layers 
    of firewalls, antivirus gateways, traffic shapers, 
    proxies, and other active network security devices.
    Instead of being a content agnostic "dumb pipe," the 
    network has become a very content-aware and very nosy 
    participant in the delivery (or NON-delivery!) of network 
    traffic.

   "In other cases, the network is neither a dumb transparent 
    pipe no ran intelligent active network participant, it may 
    simply intentionally not work at all. Some traffic intended 
    for external hosts may be completely blocked, or that traffic 
    may be involuntarily redirected without any notice to a local 
    server. This is increasingly true when it comes to email 
    traffic which may be blocked for anti-spam reasons if it isn't 
    sent through the institution's email server, and more recently, 
    DNS traffic has also been the subject of blocking or redirection 
    in an effort to cope with DNS-changing malware. [talk continues]

#I think we have to guard against assuming that the Internet applications
#and uses of today are the only ones that will be important in the future.

With you 100% on that. Heck, I can even remember when regular users
had shell access, and they knew about Usenet, and "the (whole) Internet" 
and "the Web" weren't synonymous. :-)

#I'm not defending the use of compromised machines, but I'm trying to
#ward off solutions to one problem that create new problems of their own.
#I appreciate your discussion of some of those difficulties.

I certainly share your concerns, and as you'll see if you look at
the "Cyberinfrastructure Applications, Security and Advanced Applications"
talk, I think a lot of people are already beginning to feel the pain 
caused by their own tactical choices, choices which may have been made 
without considering strategic impacts. 

The fact that I felt compelled to recommend the establishment of "network
usability officers" to balance network security officers should tell you
something about how bad things can get. :-;

Hope y'all have a nice weekend,

Regards,

Joe