[secdir] Secdir review of draft-oreirdan-mody-bot-remediation
Paul Hoffman <paul.hoffman@vpnc.org> Fri, 14 October 2011 22:57 UTC
Return-Path: <paul.hoffman@vpnc.org>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C20521F8AFE for <secdir@ietfa.amsl.com>; Fri, 14 Oct 2011 15:57:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FtwaVRwrmqRe for <secdir@ietfa.amsl.com>; Fri, 14 Oct 2011 15:57:50 -0700 (PDT)
Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id F209021F8AFC for <secdir@ietf.org>; Fri, 14 Oct 2011 15:57:49 -0700 (PDT)
Received: from [10.20.30.100] (50-0-66-4.dsl.dynamic.fusionbroadband.com [50.0.66.4]) (authenticated bits=0) by hoffman.proper.com (8.14.4/8.14.3) with ESMTP id p9EMvmTB025564 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Fri, 14 Oct 2011 15:57:48 -0700 (MST) (envelope-from paul.hoffman@vpnc.org)
From: Paul Hoffman <paul.hoffman@vpnc.org>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Fri, 14 Oct 2011 15:57:48 -0700
Message-Id: <FAF35869-8C31-4737-B639-2BF7AC7C71F4@vpnc.org>
To: secdir <secdir@ietf.org>
Mime-Version: 1.0 (Apple Message framework v1251.1)
X-Mailer: Apple Mail (2.1251.1)
Cc: draft-oreirdan-mody-bot-remediation.all@tools.ietf.org
Subject: [secdir] Secdir review of draft-oreirdan-mody-bot-remediation
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Oct 2011 22:57:50 -0000
This is a review of the security-related aspects of draft-oreirdan-mody-bot-remediation, primarily for the benefit of the Security ADs and the authors or draft-oreirdan-mody-bot-remediation. The document is a set of recommendations to ISPs on how to deal with customer computers that have been botted. It is informational in nature, and (wisely) avoids any 2119ish language. Topics covered include determining which customers might be infected, communicating with the customers, and remediation. In other words, the entire document covers security-related topics. Fortunately, it does so in a very clear fashion throughout. Suggestions for actions than an ISP might take are often accompanied with warnings and discussion of the security aspects of those actions. The Security Considerations section, while short, emphasizes the need for the reader to read carefully, particularly the section on the security aspects of sending mail to potentially-infected customers. One editorial comment: the first sentence of the abstract has a superfluous comma that imbues unintended humorous semantics: This document contains recommendations on how Internet Service Providers can manage the effects of computers used by their subscribers, which have been infected with malicious bots, via various remediation techniques. It is unlikely that subscribers themselves have been infected with malicious bots. A better wording might be: This document contains recommendations on how Internet Service Providers can use various remediation techniques to manage the effects of malicious bots on their subscribers' computers. --Paul Hoffman
- [secdir] Secdir review of draft-oreirdan-mody-bot… Paul Hoffman