North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: FBI tells the public to call their ISP for help

  • From: Kradorex Xeron
  • Date: Thu Jun 14 16:37:37 2007

On Thursday 14 June 2007 10:27, michael.dillon@xxxxxx wrote:
> > Since many Microsoft patches are only legally available via
> > the Internet, and an ISP can not predict which servers
> > Microsoft will use to distribute Microsoft patches, ISPs must
> > enable essentially full Internet access which includes access
> > for most worms.
>
> Has anybody tried a firewalling solution in which unpatched PCs are only
> able to access a special ISP-operated forwarding nameserver which is
> configured to only reply with A records for a list of known Microsoft
> update sites? And then have this specially patched nameserver also
> trigger the firewall to open up access to the addresses that it returns
> in A records?
>
> According to Microsoft, their list of "trusted sites" for MS Update is
> *.update.microsoft.com and download.windowsupdate.com. Even if they have
> some sort of CDN (Content Delivery Network) with varying IP addresses
> based on topology or load, this is still predictable enough for a
> software solution to provide a temporary walled garden.
>
> You don't need to make copies of their patch files. You don't need MS to
> provide an out-of-band list of safe IP addresses. As long as you are
> able to divert a subscriber's traffic through a special firewalled
> garden, an ISP can implement this with no special support from MS. Wrap
> this up with a GUI for your support-desk people to enable/disable the
> traffic diversion and you have a low-cost solution. You can even
> leverage the same technology to deal with botnet infestations although
> you would probably want a separate firewalled garden that allows access
> to a wider range of sites known to be safe, i.e. Google, Yahoo, ISP's
> own pages, etc.
>
> --Michael Dillon

There's a major problem with this - End-users won't take nicely to being 
restricted from going to specific websites, and will more than likely go to 
another ISP rather than to patch their computer as they see no benefit of 
patching themselves. We see the benefit of the patches, they don't 
nessasarily.

Not to single anyone out but there will more than likely always be a careless 
(and/or clueless) ISP who doesn't care if over half their network is wormed, 
the customers from the ISPs who are cracking down on infected machines will 
simply go over to the ISP who doesn't care as there would be "less hassle". 
What needs to be done is ALL ISPs accross the board need to clean up their 
networks, thus cornering the lazy end-users into cleaning up their machines.

To be honest: There's too few ISPs that would want to take up the 
responsibility of filtering worm'd customers, and as well, the instant an ISP 
starts filtering, they may even set themselves up for a lawsuit of the 
customer saying "I paid for the service, why aren't I getting it?!"

And reguarding Microsoft and their patching licences:
Those patches may be their precious "legal property" but it's their hording of 
legal rights that's damaging hundreds of thousands of computers. Microsoft is 
currently abusing their market share standings and giving insufficient patch 
distribution, (i.e. offline distibution) Therefore Microsoft should be held 
accountable for every computer that becomes infected with worms due to 
insufficient patching. To me, it sounds like Microsoft wants the power, but 
doesn't want the responsibility that comes with the power of great market 
share. It is time Microsoft be forced to take that responsibility.