Re: [Asrg] Request for Feedback: draft-oreirdan-mody-bot-remediation-03
Alessandro Vesely <vesely@tana.it> Wed, 23 September 2009 11:55 UTC
Return-Path: <vesely@tana.it>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F1CCE3A6812 for <asrg@core3.amsl.com>; Wed, 23 Sep 2009 04:55:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.938
X-Spam-Level:
X-Spam-Status: No, score=-2.938 tagged_above=-999 required=5 tests=[AWL=-0.633, BAYES_40=-0.185, HELO_EQ_IT=0.635, HOST_EQ_IT=1.245, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ig1EUT4CUEbv for <asrg@core3.amsl.com>; Wed, 23 Sep 2009 04:55:48 -0700 (PDT)
Received: from wmail.tana.it (mail.tana.it [62.94.243.226]) by core3.amsl.com (Postfix) with ESMTP id 733C83A63EB for <asrg@irtf.org>; Wed, 23 Sep 2009 04:55:48 -0700 (PDT)
Received: from [172.25.197.158] (pcale.tana [172.25.197.158]) (AUTH: CRAM-MD5 ale@tana.it, TLS: TLS1.0, 256bits, RSA_AES_256_CBC_SHA1) by wmail.tana.it with esmtp; Wed, 23 Sep 2009 13:56:49 +0200 id 00000000005DC031.000000004ABA0D01.00006132
Message-ID: <4ABA0D01.20208@tana.it>
Date: Wed, 23 Sep 2009 13:56:49 +0200
From: Alessandro Vesely <vesely@tana.it>
User-Agent: Thunderbird 2.0.0.23 (Windows/20090812)
MIME-Version: 1.0
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
References: <C6DE40D4.8016%Nirmal_Mody@cable.comcast.com>
In-Reply-To: <C6DE40D4.8016%Nirmal_Mody@cable.comcast.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [Asrg] Request for Feedback: draft-oreirdan-mody-bot-remediation-03
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Sep 2009 11:55:50 -0000
Mody, Nirmal wrote: > We are looking for feedback on draft-oreirdan-mody-bot-remediation-03. > URL: http://tools.ietf.org/html/draft-oreirdan-mody-bot-remediation-03 I think this bot-remediation I-D might be better coordinated with the RID, http://tools.ietf.org/html/draft-moriarty-post-inch. Since "[d]etection of a security incident is outside the scope of [the latter] paper", they complement one another. In particular, the former paper misses a definition of ISP, which is less ambiguously termed "network provider (NP)" in the latter. The definition of "Computer" given in 2.3 apparently limits the scope of the I-D to end-user appliances, i.e. not servers. Although that's consistent with the Problem Statement, it might be worth repeating it in section "4. Important Notice of Limitations and Scope". In section "2.4 Malware", I'd reword this snippet This is short for malicious software. In this case, malicious bots are considered a subset of malware. Other forms of malware could include viruses and other similar types of software. to make a clearer definition, e.g. as This is short for malicious software. The bots we consider are a subset of malware. Malware also includes viruses, Trojans, spyware, adware, and similar types of software. In the successive snippet Alternatively, Internet-connected computers may become infected with malware through externally initiated malicious activities such as the exploitation of vulnerabilities or the brute force guessing of access credentials. I would also mention that an attacker may already know the password (but doesn't this involve servers?) E.g. Alternatively, Internet-connected computers may become infected with malware through externally initiated malicious activities such as the exploitation of vulnerabilities, the brute force guessing of access credentials, or the exploitation of such credentials obtained at a previously compromised computer. The second paragraph in section "5. Detection of Bots" is very long and difficult. In particular, in this sentence It is likely that a combination of multiple bot detection data points will prove to be an effective approach in order to corroborate information of varying dependability or consistency, as well as to avoid or minimize the possibility of false positive identification of computers. it is not clear what is a "data point"? I guess you are talking about data interchange between ISPs, as detailed in the above mentioned RID. The same paragraph again talks about bots that are "malicious in nature", a concept that I fail to understand. The I-D never talks about ascertaining whether a user knows about the bot and accepts accountability for its actions, which would classify it as non-malware. The section continues with items (a) through (g). I'd suggest converting them to subsections, for better quoting and pointing to them. Only a couple of those items are relevant for mailbox providers; should that be noted? I'm surprised about item (f) f. ISPs may also discover likely bot infected hosts located at other sites; when legally permissible or otherwise an industry accepted practice in a particular market region, it may be worthwhile for ISPs to share evidence relating to those compromised hosts with the relevant remote ISP, with security researchers, and with blocklist operators. I assume it is about firewall-detected scans, attempts to access closed ports, well known URIs, as well as dictionary attacks, and similar. If there really exist laws that forbid to notify such intrusion attempts to the relevant abuse mailbox, they are wrong and the IETF should lobby the relevant governments for abrogating them... The title of section "6.2. Telephone Call Notification" might perhaps be changed to "Telephone or Fax Call Notification". In particular, fax numbers are more often answered by computers. In section "6.4. Walled Garden Notification", it may be worth to mention IP fingerprinting as a possible disambiguation for NATted hosts, as described, e.g., in http://www.rbeverly.net/research/papers/tcpclass-pam04.html http://www.sflow.org/detectNAT/. This concern is addressed in section 7 ("diligence needs to be taken by the ISP where possible such that they can identify") so a "see also" might be needed. In section 7, the sentence This security web site should clearly explain why the user was notified and may include an explanation of what bots are, and the threats that they pose. assumes that the ISP is tightly coordinated with the provider of the security web site. I only note that section 7 should be of interest also for standalone computer servicing shops' web sites. The text suggested for explanation ("What is a bot? [...]") does not mention that the user may be held legally accountable for any damage that the bot may perpetrate. The paragraph of section "9. Security Considerations" sounds to me like "since this doc is all about security, this section only exists for accomplishing formal RFC requirements." IMHO, in this context, it would be more useful to recap the risks of phishing by notifying false infections, and to collect the passages where PII is concerned. Finally, a few typos s/solical/social/ s/poses can pose/can pose/ s/Compters/Computers/ HTH
- [Asrg] Request for Feedback: draft-oreirdan-mody-… Mody, Nirmal
- Re: [Asrg] Request for Feedback: draft-oreirdan-m… Alessandro Vesely
- [Asrg] Anyone read that bot remediation draft? John Levine