Someone else pointed out that if the system in question has been
botted/owned/pwn3d/whatever
you want to call it, then, you can't guarantee it would make the 911
call correctly anyway.
I realize that many NANOG'ers don't actually use the technologies that
we talk about, so I'm just going to correct this:
You seem to be under the mistaken assumption that most people using VoIP
do so using their computer. While it kind of started out that way years
ago, it simply isn't so anymore. Most VoIP services can be configured to
work with an analog telephony adapter, providing a POTS jack. Most VoIP
services even provide one as part of the subscription, sometimes for a
fee.
There's also a growing number of phones that support Skype or generic
VoIP, sometimes alongside a regular POTS line, sometimes not.
It is perfectly possible to have an infected PC sitting right next to a
nice VoIP-capable DECT cordless phone system, both hooked to the same
NAT router. This is, of course, problematic, and would be a useful
problem to contemplate how to cause one to break while keeping the other
operational.
Assuming that the existence of an infected PC in the mix translates to
some sort of inability to make a 911 call correctly is, however, simply
irresponsible, and at some point, is probably asking for trouble.
Also, someone mentioned that the FCC doesn't in fact mandate that PSTN
terminals should be able to make emergency calls even if formally disconnected
and asked about cellular.
The opposite is true about GSM and its descendants; whether or not you're a
valid roamer for the network you're talking to, have a prepaid balance, have
paid your bill, you must be able to make emergency calls. Similarly, even if
no SIM card is present, the device should register with the network as
"limited service" - i.e. emergency only.
Assuming that the existence of an infected PC in the mix translates to
some sort of inability to make a 911 call correctly is, however, simply
irresponsible, and at some point, is probably asking for trouble.
... JG
Also, someone mentioned that the FCC doesn't in fact mandate that PSTN terminals should be able to make emergency calls even if formally disconnected and asked about cellular.
The opposite is true about GSM and its descendants; whether or not you're a valid roamer for the network you're talking to, have a prepaid balance, have paid your bill, you must be able to make emergency calls. Similarly, even if no SIM card is present, the device should register with the network as "limited service" - i.e. emergency only.
The FCC generally doesn't come into play when you're talking about ILEC telephone service except at a very high level. In California, by PUC regulation telephone companies are required to allow access to 911 so long as there is copper in the facility and it was, at any time, active with any sort of phone service.
I do use VOIP, bot computer and non-computer based. None the less, the
fact remains that should any of my systems become compromised, my
ability to make a VOIP phone call is in doubt regardless of what the
provider does.
Additionally the problems of DDOS sourced from a collection of compromised
hosts could be interfering with someone else's ability to make a successful
VOIP call.
Abuse sources should be blocked from impacting the rest of the network.
Additionally the problems of DDOS sourced from a collection of
compromised hosts could be interfering with someone else's ability
to make a successful VOIP call.
Much more than that: they could be interfering with the underlying
infrastructure, or they could be attacking the VOIP destination,
or they could be making fake VOIP calls (see below), or they could
be doing ANYTHING. A compromised system is enemy territory, which is why:
This blocking should be as narrow as possible.
Blocking should be total. A compromised system is as much
enemy-controlled as if it were physically located at the RBN. Trying
to figure out which of externally-visible behaviors A, B, C, etc.
it exhibits might be malicious and which might not be is a loss,
doubly so given that many of the attacks launched by such systems
are of a distributed nature and thus are very difficult to infer
solely by observation of one system. Moreover, there is no way to
know, given a current observation of behavior A, whether or not
behavior B will begin, when it will begin, or what it will be.
For example, there's no way to know that a supposed VOIP call to
911 from that system is actually being made by a human being.
It's certainly well within the capabilities of malware to place
such a call -- and abuses of 911 in efforts to misdirect authorities
are well-known. (See "swatting". And note that nothing stops a botnet
equipped with appropriate s/w from launching a number of such calls
in sequence, with what I think are predictable consequences.)
The bottom line is that once a system is compromised, all bets are off.
Nothing it does can be trusted by anyone: not its *former* owners, not
the network operator, not anyone in receipt of its traffic. So the
only logical course of action is to cut it off completely, as quickly
as possible, and keep it that way until it's properly fixed. (Which
of course involves booting from known-clean media, restoring apps from
known-clean sources, scanning all user data, etc. Booting from
known-infected media is an obvious and immediate fail.)
If an ISP is involved with tracking down DDOS participants or
something, I can understand how they'd know a system was compromised.
But any kind of blocking because the ISP sees 'anomalous' traffic
seems .. premature at best. SANS newsbites has this bit:
On Thursday, October 8, Comcast began testing a service that alerts its
broadband subscribers with pop-ups if their computers appear to be
infected with malware. Among the indicative behaviors that trigger
alerts are spikes in overnight traffic, suggesting the machine has been
compromised and is being used to send spam.
When my son comes home from college, there's a huge spike in overnight
traffic from my house. With all the people advocating immediate
blocking of pwned systems in this thread, I'm wondering what their
criteria is for deciding that the system is compromised & should be
blocked.
If an ISP is involved with tracking down DDOS participants or
something, I can understand how they'd know a system was compromised.
But any kind of blocking because the ISP sees 'anomalous' traffic
seems .. premature at best. SANS newsbites has this bit:
On Thursday, October 8, Comcast began testing a service that alerts its
broadband subscribers with pop-ups if their computers appear to be
infected with malware. Among the indicative behaviors that trigger
alerts are spikes in overnight traffic, suggesting the machine has been
compromised and is being used to send spam.
When my son comes home from college, there's a huge spike in overnight
traffic from my house. With all the people advocating immediate
blocking of pwned systems in this thread, I'm wondering what their
criteria is for deciding that the system is compromised & should be
blocked.