 jlivingoodPremium,VIP
join:2007-10-28
Philadelphia, PA
kudos:1 | What to do about bots... Another recent IETF draft we submitted this week was regarding the detection and remediation of (malicious) bots. Check out the document at »tools.ietf.org/html/draft-oreird···ation-00 .
I'd love any detailed feedback folks have here, on any aspect of this first draft document. (posted here or sent to me via PM) In particular, I'd love to know what you think of the notification options in Section 5.2 and the remediation approach in 5.4?
Thanks
Jason
--
JL
Comcast |
|
Reviews:
 ·Comcast
2 edits | I like the "walled garden" approach in section 5.2.4, that would make it easy to show them what to do to remove the "bot" as mentioned in section 5.4. Telling users to update their systems AFTER they have a bot is somewhat useless, because those updates wont remove the bot, they patch the holes that the bot used to get in. I say just recommend some good free A/V software, and tell them to run it. Also, taking a backup is a bad idea, because if they use a disk imaging program, they may restore the bot back (oh no!). Encourage users to take regular disk images so that they can just restore from one of those, and then the bot is gone. I would make the law aspect of it very minor, users may feel forced or obligated to report the issue.
If users are warned by browser pop up, email, IM, SMS, snail mail, or phone calls their is no way to know whether the notifications are real, or are from Geek Squad trying to sell you a $200+ A/V scan, or other fake A/V advertisements (Anti-Virus 2009 ring a bell?)
An even better way to go about this would be to install (opt-in) filtering of viruses (and maybe charge $2-3 for it?)
IF and ONLY IF this issue becomes very bad in the future, you could require users install a tool that makes sure that their system is up to date or it gives them walled garden until they update. |
|
jlivingoodPremium,VIP
join:2007-10-28
Philadelphia, PA
kudos:1 | said by nate1234:I like the "walled garden" approach to section 5.2 Walled Garden is 5.2.4, which is similar to web notification in 5.2.7 (whether feasible and how to achieve it is a separte issue). My worry on a walled garden is what is someone's on a VoIP call or playing an online game or doing something kind of non-PC-related. Would they perceive this as an outage or open a web browser on a computer to see what's what? Would that end up being disruptive or annoying?
J
--
JL
Comcast |
|
| That is true, maybe you could provision with walled garden in the middle of the night or something so it wont interupt normal activities, Maybe "threaten" them with walled garden until they acknowledge that they need to fix the issue |
|
 koshoka
join:2006-12-01
Pottsville, PA | reply to jlivingood
malicious bots=Decepticons? |
|
|
|
 espaethDigital PlumberPremium,MVM
join:2001-04-21
Minneapolis, MN
kudos:2
 ·Clear Wireless
| reply to jlivingood
said by jlivingood:My worry on a walled garden is what is someone's on a VoIP call or playing an online game or doing something kind of non-PC-related. You could do something like block TCP and drop the subscribed rate down to something like 128k to at least limit the damage until you get in contact with the customer. Allowing UDP would keep VoIP running, so emergency calls to 911 and such could still get out.
said by jlivingood:Would they perceive this as an outage or open a web browser on a computer to see what's what? Would that end up being disruptive or annoying? If they perceive an outage and call in, couldn't you flag something in their account so the rep could talk them through cleaning their system of malware?
Maybe have timed levels of remediation?
Email notification, follow up in 4 hours, another follow up 4 hours after that. After 12 hours kick in with TCP blocking, with port 80 redirected to a "You've got worms" site. |
|
 CleanGenePremium,MVM
join:2008-04-09
Manassas, VA | reply to jlivingood
said by jlivingood: My worry on a walled garden is what is someone's on a VoIP call or playing an online game or doing something kind of non-PC-related. Would they perceive this as an outage or open a web browser on a computer to see what's what? Would that end up being disruptive or annoying? J We're into "lesser of two evils" territory there, IMO. To a certain extent, the notification has to be at least mildly disruptive or annoying, else the user will never do anything about it - doing nothing is usually easier than doing something, so the point is to make doing nothing a bit uncomfortable. Not maliciously so, but still.
Anyway, even if they don't open a browser to see the wallgarden warning, this will undoubtedly drive calls to Tier, which (I assume) will see the account flagged for the issue and be able to explain the problem to the user.
The real problem, as I see it, will arise at that point - actually fixing the issue. While you have a suggested path for remediation, I foresee that such a task is positively monumental in scope. You're going to lose a significant fraction of your user base at step one ("Perform a FULL backup of the affected computers"), and then what? Is Tier expected to hold the non-technical user's hand and walk them though all these steps, or do we just bail and advise them to take it somewhere to have it fixed?
This is not to say it couldn't or shouldn't be done that way, just to point out that the phrase we're looking for is "customer education", and this is going to require a massive amount of customer education, IMO. Even if we're going to send them out for expert help, they need to be armed with more than "Comcast told me my computer is broken" when they walk into the Geek Squad or whatever :/ |
|
| reply to espaeth
that sounds like a good idea |
|
jlivingoodPremium,VIP
join:2007-10-28
Philadelphia, PA
kudos:1
1 edit | Kind of off-topic, but given the bot-driven attacks in the new the past few days and the expectation that it may escalate, I'd recommend that PC users download and update McAfee to provide at least some defense. »security.comcast.net/ (which is free for our customers)
--
JL
Comcast |
|
| You guys should drop McAfee as soon as Microsoft Security Essentials comes out, it would save you money
I dont use A/V |
|
| reply to jlivingood
I wish you guys offered a choice... McAfee I've always disliked... NOD32 has always been a nice choice |
|
 sgtcaseyIt's hot in NM.Premium
join:2009-07-06
Albuquerque, NM | reply to jlivingood
I used McAfee for a while but have moved over to the free version of AVG in the past year or so.
Dave |
|
jlivingoodPremium,VIP
join:2007-10-28
Philadelphia, PA
kudos:1 | reply to jlivingood
We've updated the document again, and are happy to take any specific comments and suggestions on this new version:
»www.ietf.org/internet-drafts/dra···n-03.txt
--
JL
Comcast |
|
| I personally like this idea, I do plan the read the full ietf article your writing later. My point to through out is people might get false positives all over; thus this can lead to net-neutrality issues. But as long as its explained to all customers via email, on their bills, etc.and have a good optin/optout im all fine with it being a comcast user.
My only true complaint is pricing in my market. I wish their were lowering regarding tv packages i would love ala carte programming. its tough paying for the standard tier + hbo 2 HD boxes 1 digital for a total of just under $300 bucks.
We have been a customer for at least 6+ years and we have maintaned also 2 accounts ie 2 cables + tv / other cable + Tv and hbo. |
|
| reply to koshoka
said by koshoka:malicious bots=Decepticons? I thought is was the Dinobots. Werent they the ones who tried to eat everything? |
|
| Decepticons are from transformers |
|
