Re: [Asrg] Request for Feedback: draft-oreirdan-mody-bot-remediation-03

Alessandro Vesely <vesely@tana.it> Wed, 23 September 2009 11:55 UTC

Return-Path: <vesely@tana.it>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F1CCE3A6812 for <asrg@core3.amsl.com>; Wed, 23 Sep 2009 04:55:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.938
X-Spam-Level:
X-Spam-Status: No, score=-2.938 tagged_above=-999 required=5 tests=[AWL=-0.633, BAYES_40=-0.185, HELO_EQ_IT=0.635, HOST_EQ_IT=1.245, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ig1EUT4CUEbv for <asrg@core3.amsl.com>; Wed, 23 Sep 2009 04:55:48 -0700 (PDT)
Received: from wmail.tana.it (mail.tana.it [62.94.243.226]) by core3.amsl.com (Postfix) with ESMTP id 733C83A63EB for <asrg@irtf.org>; Wed, 23 Sep 2009 04:55:48 -0700 (PDT)
Received: from [172.25.197.158] (pcale.tana [172.25.197.158]) (AUTH: CRAM-MD5 ale@tana.it, TLS: TLS1.0, 256bits, RSA_AES_256_CBC_SHA1) by wmail.tana.it with esmtp; Wed, 23 Sep 2009 13:56:49 +0200 id 00000000005DC031.000000004ABA0D01.00006132
Message-ID: <4ABA0D01.20208@tana.it>
Date: Wed, 23 Sep 2009 13:56:49 +0200
From: Alessandro Vesely <vesely@tana.it>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
References: <C6DE40D4.8016%Nirmal_Mody@cable.comcast.com>
In-Reply-To: <C6DE40D4.8016%Nirmal_Mody@cable.comcast.com>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [Asrg] Request for Feedback: draft-oreirdan-mody-bot-remediation-03
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Sep 2009 11:55:50 -0000

Mody, Nirmal wrote:
> We are looking for feedback on draft-oreirdan-mody-bot-remediation-03.
> URL:  http://tools.ietf.org/html/draft-oreirdan-mody-bot-remediation-03

I think this bot-remediation I-D might be better coordinated with the 
RID, http://tools.ietf.org/html/draft-moriarty-post-inch. Since 
"[d]etection of a security incident is outside the scope of [the 
latter] paper", they complement one another. In particular, the former 
paper misses a definition of ISP, which is less ambiguously termed 
"network provider (NP)" in the latter.

The definition of "Computer" given in 2.3 apparently limits the scope 
of the I-D to end-user appliances, i.e. not servers. Although that's 
consistent with the Problem Statement, it might be worth repeating it 
in section "4. Important Notice of Limitations and Scope".

In section "2.4 Malware", I'd reword this snippet

  This is short for malicious software.  In this case, malicious bots
  are considered a subset of malware.  Other forms of malware could
  include viruses and other similar types of software.

to make a clearer definition, e.g. as

  This is short for malicious software.  The bots we consider are a
  subset of malware.  Malware also includes viruses, Trojans, spyware,
  adware, and similar types of software.

In the successive snippet

  Alternatively, Internet-connected computers may become infected with
  malware through externally initiated malicious activities such as the
  exploitation of vulnerabilities or the brute force guessing of access
  credentials.

I would also mention that an attacker may already know the password 
(but doesn't this involve servers?) E.g.

  Alternatively, Internet-connected computers may become infected with
  malware through externally initiated malicious activities such as the
  exploitation of vulnerabilities, the brute force guessing of access
  credentials, or the exploitation of such credentials obtained at a
  previously compromised computer.

The second paragraph in section "5. Detection of Bots" is very long 
and difficult. In particular, in this sentence

                  It is likely that a combination of multiple bot
  detection data points will prove to be an effective approach in order
  to corroborate information of varying dependability or consistency,
  as well as to avoid or minimize the possibility of false positive
  identification of computers.

it is not clear what is a "data point"? I guess you are talking about 
data interchange between ISPs, as detailed in the above mentioned RID.

The same paragraph again talks about bots that are "malicious in 
nature", a concept that I fail to understand. The I-D never talks 
about ascertaining whether a user knows about the bot and accepts 
accountability for its actions, which would classify it as non-malware.

The section continues with items (a) through (g). I'd suggest 
converting them to subsections, for better quoting and pointing to 
them. Only a couple of those items are relevant for mailbox providers; 
should that be noted?

I'm surprised about item (f)

  f.  ISPs may also discover likely bot infected hosts located at other
      sites; when legally permissible or otherwise an industry accepted
      practice in a particular market region, it may be worthwhile for
      ISPs to share evidence relating to those compromised hosts with
      the relevant remote ISP, with security researchers, and with
      blocklist operators.

I assume it is about firewall-detected scans, attempts to access 
closed ports, well known URIs, as well as dictionary attacks, and 
similar. If there really exist laws that forbid to notify such 
intrusion attempts to the relevant abuse mailbox, they are wrong and 
the IETF should lobby the relevant governments for abrogating them...

The title of section "6.2. Telephone Call Notification" might perhaps 
be changed to "Telephone or Fax Call Notification". In particular, fax 
numbers are more often answered by computers.

In section "6.4. Walled Garden Notification", it may be worth to 
mention IP fingerprinting as a possible disambiguation for NATted 
hosts, as described, e.g., in 
http://www.rbeverly.net/research/papers/tcpclass-pam04.html 
http://www.sflow.org/detectNAT/. This concern is addressed in section 
7 ("diligence needs to be taken by the ISP where possible such that 
they can identify") so a "see also" might be needed.

In section 7, the sentence
                                                     This security web
  site should clearly explain why the user was notified and may include
  an explanation of what bots are, and the threats that they pose.

assumes that the ISP is tightly coordinated with the provider of the 
security web site. I only note that section 7 should be of interest 
also for standalone computer servicing shops' web sites.

The text suggested for explanation ("What is a bot? [...]") does not 
mention that the user may be held legally accountable for any damage 
that the bot may perpetrate.

The paragraph of section "9. Security Considerations" sounds to me 
like "since this doc is all about security, this section only exists 
for accomplishing formal RFC requirements." IMHO, in this context, it 
would be more useful to recap the risks of phishing by notifying false 
infections, and to collect the passages where PII is concerned.

Finally, a few typos

s/solical/social/
s/poses can pose/can pose/
s/Compters/Computers/

HTH