Schneier: ISPs should bear security burden

Oh, please.

If you think that the Internet should remain an "every man
for himself", wild wild west, Ok Corral, situation (not my
words, mind you), then you better get with the powers that
will steam-roll all of us if we let it -- money and marketing.

This ain't no science project anymore.

Bruce is right -- right as rain -- I don't give two damns
whether you think it is an issue of marketing, or protecive
self-advertising. The issue is that the _consumers_ want it,
that's what they'll pay for, and it is the ISP's perogative
to either honor that wish, or lose the business.

We owe to our customers, and we owe it to ourselves, so let's
just stop finding excise to side-step the issue.

Sound about right?

- ferg

Owen DeLong <owen@delong.com> writes:

So much for any sort of journalistic ethic, fact checking, or, unbiased
reporting.

Sound about right?

No, not at all.

I'm not advocating a wild west every man for himself, but, I think that
solving end-node oriented problems at the transport layer is equally
absurd.

It's like expecting to be able to throw crude oil into a tanker at
one end and demanding that the trucker deliver gasoline at the other.

ISPs transport packets. That's what they do. That's what most consumers
pay them to do. I haven't actually seen a lot of consumers asking for
protected internet. I've seen lots of marketing hype pushing it, but,
very little actual consumer demand. Sure, the hype will probably generate
eventual demand, but, so far, it hasn't really.

Do you really want an internet where everything has to run over ports
80 and 443 because those are all that's left that ISPs don't filter?
That's where a lot of this crap is headed. Heck, Micr0$0ft is ready
for that... They already tunnel almost all of the viruses through
those two ports in order to facilitate them penetrating corporate
firewalls and such.

How much functionality are we going to destroy before we realize that
you can't fix end-node problems in the transit network?

Owen

I'm not advocating a wild west every man for himself, but, I think that
solving end-node oriented problems at the transport layer is equally
absurd.

That's not what was being suggested. The article suggested
that ISPs, the providers of the transport layer service,
should consider branching out and offering other value added
services in addition to the transport layer, because customers
want to buy value-added services and not just the raw,
unfiltered transport layer. It's up to the ISP as to how
they configure and manage those services.

The company that I work for decided to build a separate
global IP network in 20 countries to connect about 150
providers of application and data services to their
customers, currently just under 11,000 of them. This IP
network provides vastly higher levels of security than the
public Internet and that is part of our contracts and SLAs.
There is no technical reason why other ISPs could not offer
similar value-add services other than a failure of the imagination.

And we all know what "failure of the imagination" buys you.
In the telecom industry it led to the rise of the ISP and
the Internet because the incumbents could not imagine what we
have today. In the U.S. political arena it led to 9/11 because
the people charged with protecting the country could not imagine
that a small group of people based in one of the most backward
countries on earth could pose a threat to American soil. The report
of the 911 commission makes interesting reading if one is able
to see the abstract lessons that it draws. Many of those lessons
relate to failure of imagination and failure to move on and
change with the changing times.

ISPs transport packets. That's what they do.

You're wrong there. ISPs provide Internet services. That's
what they have always done. In the early days they ran mail
servers and web servers and news servers and terminal servers
and many other things. We have gone through a period of
specialization where ISPs have been differentiated into
providing a subset of all possible Internet services. Some
do indeed specialise in pure packet transport, but that is
rare and they are usually part of a larger company that
provides other services. In any case, it's time to move on
and change some more, perhaps by adding new value-added
services on that last mile connection.

I haven't actually seen a lot of consumers asking for
protected internet.

That's because you don't work for Yahoo email or for AOL.

Do you really want an internet where everything has to run over ports
80 and 443 because those are all that's left that ISPs don't filter?

No. But I want an Internet in which different ISPs are free to
offer different services rather than have a regulated
environment that says that ISPs MUST offer a specific service
in a specific way. I want choices.

--Michael Dillon

  Thing is, protecting them from themselves and their own stupidity is
also the thing that most everyone else needs, too.

Do you really want an internet where everything has to run over ports
80 and 443 because those are all that's left that ISPs don't filter?

  They should be filtered, too. For standard bottom-feeder accounts,
*everything* should be filtered and transparent proxied. And the accounts
should be priced so that they pay for their own upkeep. What will cost
money is to turn off the filters selectively for certain accounts, and
people who want that should be in a position to pay for it.

I'm sorry, but, I simply do not share your belief that the educated should
be forced to subsidize the ignorant. This belief is at the heart of a
number of today's socialogical problems, and, I, for one, would rather not
expand its influence.

How much functionality are we going to destroy before we realize that
you can't fix end-node problems in the transit network?

  How much of the Internet is going to be destroyed before we realize that
the users are too stupid to be trusted to run their end-nodes, and if the
transit network wants to protect itself from the worst offenses it will
need to provide only managed services and not let these people out of the
corral to being with?

Strangely, for all the FUD in the above paragraph, I'm just not buying it.
The internet, as near as I can tell, is functioning today at least as well
as it ever has in my 20+ years of experience working with it. The vast
majority of the end node problems come from one particular software vendor.
If that vendor could be held accountable for the problems they have created,
things would be much better.

The major advanatage of the internet is the ability to deploy new applications
and protocols quickly and easily. Transparent proxies, btw, would not
prevent most of the harmful stuff available via 443, so, I'm not sure
what you think that accomplishes.

Malware will quickly adapt to any such filtration at the transport layer.
As long as you can get some form of undefined content through the internet,
malware will have a way to gain transit. It must be addressed at the end
node.

Owen

No. Not at all.

I agree that if customers are willing to pay for managed security services
that ISP's should provide them. However, an ISP that does not provide them
is not lazy and irresponsible, as characterized in the article.

As for security, intelligent ISPs will be monitoring their network and
will have sensors in place to alert them to abnormal traffic (NetFlow,
Snort, SNMP Traps, Log watchers) patterns and take action, but that does
NOT extend to enforcing a security policy on the public without their
consent.

If the public agrees to it, and requests it, that is one thing.
Universally filtering packets because it makes our lives easier is
another. No one said this business would be easy.

You must not have used it much in those 20 years. I can definitely say
worms, trojans, spam, phishing, ddos, and other attacks is up several
orders of magnitude in those 20 years. Malicious packets now account for
a significant percentage of all ip traffic. Eventually I expect malicious
packets will outnumber legitimate packets, just like malicious email
outnumbers legitimate email today.

As long as the environmental polluter model continues to be championed and
promoted on nanog (of all places), the problem will only get worse.

-Dan

As a data point:

An unused, never before used or even just announced /21 currently draws
an average of 112pps und 70kbit/s, translating to about 1GB (1 Gigabyte!)
of traffic per day, or about 30GB per month. In some countries, that
translates to real money (I'm hearing INTERESTING price tags on
bandwidth in South Africa).

Looking at psmith's weekly routing table report, this would extrapolate
(totally non-scientific and ignoring several effects) to at least about
675GB daily "stray" traffic in the whole Internet, WITHOUT any host
answering to the viruses, trojans, whatever.

I hope to find the time to do some capturing and analysis of this
traffic. If anyone here has experience with that I'd be happy to hear
from them... don't want to waste time doing something others already
did...

Best regards,
Daniel

Fergie (Paul Ferguson) wrote:

We owe to our customers, and we owe it to ourselves, so let's
just stop finding excise to side-step the issue.

So are you saying that managed security services are not avaialble for paying consumers in USA?

Pete

I think the debate is if default should be managed or unanaged.
And some here are concerned that if default becomes managed throught
the industry, they'd never be able to get unmanaged from anyone.

  We know that almost all users are too stupid to know what they really
need or how to get it, and that they need to be protected from their own
stupidity -- as well as protecting the rest of the world from their
stupidity.

Not only do I not know this, I find it to be patently false. Yes, I think
a high percentage of users is too ignorant to know what they need or how
to get it. However, protecting them from that ignorance only propogates
and perpetuates it. Pain is one of natures most effective educators.
Allowing people to experience the full (as long as it's non-fatal) effect
of their ignorance often creates a strong desire for education.

This incredible expansion of "We must protect people from themselves"
philosophy is wasteful, expensive, and, worst of all, highly destructive
to society in the long run.

Government or any other regulatory body should protect people from each
other, not from themselves. Similarly, while knowingly producing a
dangerous
product should carry some civil and criminal liabilty, the fact that we
have effectively made companies and professionals liable for any act of
stupidity comitted by their consumers unless they specifically disclaimed
or warned (and sometimes even if they did) the consumer is about 2/3rds
of the cost of medicine today. It's about 1/2 of the cost of an airline
ticket. It's about 3/4 of the cost of aircraft parts. The list goes on.

Owen

Strangely, for all the FUD in the above paragraph, I'm just not buying
it. The internet, as near as I can tell, is functioning today at least
as well as it ever has in my 20+ years of experience working with it.

You must not have used it much in those 20 years. I can definitely say
worms, trojans, spam, phishing, ddos, and other attacks is up several
orders of magnitude in those 20 years. Malicious packets now account for
a significant percentage of all ip traffic. Eventually I expect malicious
packets will outnumber legitimate packets, just like malicious email
outnumbers legitimate email today.

All of that is true. However, I don't define functioning internet in
terms of the lack of these things. I define it in terms of when I
try to get a connection from my point A to far-end point B, what
is the loss and/or failure rate of the desired traffic. From that
perspective, in my experience, things are better today than they
ever have been.

As long as the environmental polluter model continues to be championed
and promoted on nanog (of all places), the problem will only get worse.

I'm not attempting to encourage the environmental polluter model. However,
making making the guy that owns the pipeline responsible for the chemical
plant 200 miles away that is polluting the product provided to him by
the water production company still doesn't make sense to me. You have
to make the chemical plant responsible, or, the problem just keeps getting
more expensive. My point is we need to look to solve problems, not symptoms
of problems.

Transit solutions to end-node problems are costly and progressively less
effective over time.

Owen

The only thing I've seen in the past 20 years which has made any positive
impact on overall internet reliability is BGP dampening. In all other
cases its gotten worse as networks are ground to dust by daily DDOS
attacks. You can read daily about sites xyz or networks xyz being
unreachable for hours/days/weeks/months due to DDOS attacks. Compared to
20 years ago I would have to say overall things are worse not better.

-Dan

The only thing I've seen in the past 20 years which has made any positive
impact on overall internet reliability is BGP dampening. In all other
cases its gotten worse as networks are ground to dust by daily DDOS
attacks. You can read daily about sites xyz or networks xyz being
unreachable for hours/days/weeks/months due to DDOS attacks. Compared to
20 years ago I would have to say overall things are worse not better.

Yes... The news reports more outages today than they reported back then.
Of course, part of that is because 20 years ago, the media couldn't
spell internet, let alone connect to it.

However, the huge expansion in overall bandwidth, the increase in bandwidth
to subscriber ratio, the proliferation of firewall appliances, and, faster
and better switching and routing capabilities, packet over sonet, MPLS
have all contributed to a more reliable and more flexible internet.

YMMV, but, for me, today, when I try to connect to things on the internet,
I have a much higher success rate than I did 20 years ago. My links aren't
clogged with DDOS or abuse, even though I'm on a completely unfiltered
link. Sure, I see the occasional DDOS, lots of probes, and, many many
attempts to use my systems to relay SPAM. The relay attempts are quietly
discarded, the DDOS stays down in the noise threshold for the most part,
and, the other abuse attempts are logged and fail. However, the things
I try to do with the internet mostly succeed. Judging by the server logs,
people are getting to the web servers I host without difficulty.

20, even 10, heck, even 5 years ago, my success rates were lower than they
are today. They've been roughly the same for the last 5 years, but, that's
pretty good, so, I'm generally happy.

I'm not saying we shouldn't make efforts to eliminate abuse. I'm not
saying abuse isn't a reliability issue or that it doesn't have a cost.
However, eliminating end-node abuse at the transit just adds more cost
and is, in the long run, an ineffective solution at best, usually with
unintended side consequences.

Owen

Daniel Roesen wrote:

I hope to find the time to do some capturing and analysis of this
traffic. If anyone here has experience with that I'd be happy to hear
from them... don't want to waste time doing something others already
did...

Sure, what would you like to know?

Pete

ISPs transport packets. That's what they do. That's what most consumers
pay them to do. I haven't actually seen a lot of consumers asking for
protected internet. I've seen lots of marketing hype pushing it, but,
very little actual consumer demand. Sure, the hype will probably generate
eventual demand, but, so far, it hasn't really.

I'm not sure I agree with this statement. Our customers are retained based on our value added services, including protected internet initiatives, more than for the Internet service we provide. Internet service is becoming commoditized to the end user, with multiple choices at competitive pricing in many markets. Consumers within single provider markets might expect ISPs to only "transport" packets, however in multi vendor markets the ISPs are being chosen for offerings above and beyond network access.

This is becoming especially true for companies like AOL, which are attempting to move their value added services independently of their Internet access in anticipation of dropping profit margins on network access as well as an attempt to break into new single vendor markets. Moving packets is no longer enough for ISPs.

If customer retention is based on value added services then consumers are making market decisions based on more than network transit. I expect NSPs to transport packets. I expect ISPs to provide Internet services, including security services.

I'm sorry, but, I simply do not share your belief that the educated should
be forced to subsidize the ignorant. This belief is at the heart of a
number of today's socialogical problems, and, I, for one, would rather not
expand its influence.

It is becoming more expensive for ISPs to cater to the educated than to restrict the ignorant. I appears you would prefer the ignorant bear the burden for the educated. Unfortunately, there are many more ignorant who are willing to purchase restricted internet than educated who require unfettered access, moreover the educated understand the value of unrestricted internet access. As it has a value above and beyond restricted access, in the sense of unrestricted traffic transport, it should be billed at a higher rate accordingly.

ISPs transport packets. That's what they do. That's what most
consumers
pay them to do. I haven't actually seen a lot of consumers asking for
protected internet. I've seen lots of marketing hype pushing it, but,
very little actual consumer demand. Sure, the hype will probably
generate
eventual demand, but, so far, it hasn't really.

I'm not sure I agree with this statement. Our customers are retained
based on our value added services, including protected internet
initiatives, more than for the Internet service we provide. Internet
service is becoming commoditized to the end user, with multiple choices
at competitive pricing in many markets. Consumers within single provider
markets might expect ISPs to only "transport" packets, however in multi
vendor markets the ISPs are being chosen for offerings above and beyond
network access.

Hey, if you've got customes willing to shell out for that, then more
power to you. However, I'm not (and won't be) one of those customers.
I'm willing to take responsibility for protecting my systems and choosing
what traffic I do and don't want. I don't want someone else doing it
for me.

I certainly don't want someone telling my ISP that they have to take that
choice away from me, and, finally, I _REALLY_ don't want to have to pay
more for internet service because other users are too stupid to properly
configure a firewall.

This is becoming especially true for companies like AOL, which are
attempting to move their value added services independently of their
Internet access in anticipation of dropping profit margins on network
access as well as an attempt to break into new single vendor markets.
Moving packets is no longer enough for ISPs.

Yep... That's fine... I am not opposed to a market for such services, so
long as I can still buy actual internet connectivity and not some censored
watered-down garbage. Further, I still think that such "value added"
services are short-sighted. It creates an arms race between the value
adds and the malware providers, destroying more and more functionality
in the name of better and better protection from worse and worse malware.
Eventually, you end up with things like the TSA and the war on drugs.
Problems don't get solved because you continue to attack the symptoms
instead of the causes.

If customer retention is based on value added services then consumers are
making market decisions based on more than network transit. I expect NSPs
to transport packets. I expect ISPs to provide Internet services,
including security services.

OK... Whatever... I guess I'm an NSP customer, then. I don't draw a
distinction between NSPs and ISPs on the lines you do, and, telling ISPs
that they should all filter their end users connections still doesn't
sit well with me. ISPs that want to offer that as an optional value added
service for a fee, I have no problem.

Owen

The problem is that the maliciousness of packets or email is largely in the eye of the beholder. How do you propose ISPs determine which packets the receiver wants to receive, and which they don't want to receive? (At Mpps rates, of course.)

This whole discussion is a clear example of the fallacy of treating "security" as an independent entity, rather than an aspect of other things.

There are many ISPs that do less than they should, though. (Allow spoofed sources, don't do anything against hosts that are reported to send clearly abusive traffic, sometimes even at DoS rates...)

The problem is that the maliciousness of packets or email is largely
in the eye of the beholder. How do you propose ISPs determine which
packets the receiver wants to receive, and which they don't want to
receive? (At Mpps rates, of course.)

Its not up to the ISP to determine outbound malicious traffic, but its up
to the ISP to respond in a timely manner to complaints. Many (most?) do not.

There are many ISPs that do less than they should, though. (Allow
spoofed sources, don't do anything against hosts that are reported to
send clearly abusive traffic, sometimes even at DoS rates...)

This is what I mean by the environmental polluter model. Providers who
continually spew sewage and do nothing to shut off attackers under their
domain despite repeated pleas from victims.

An paper by Jeffrey Race - http://www.camblab.com/nugget/spam_03.pdf
was written about the spam problem, but touches on fraud and other
malicious activity. The general attitude in the paper regarding provider's
responses to spam complaints also applies to ddos and other attacks. It's
also interesting to note where Mr. Ebbers is today.

Has the situation gotten better? Maybe at uunet it has since mr. ebbers
"departure", but most other places it appears to only have gotten worse[1].

Bigpond let things get so out of hand that their own network began to
crumble, which is the only time I can think of in recent history that
they've ever taken action to disconnect zombies. You can be certain the
victims on the receiving end of bigpond's zombied customers have little
sympathy for bigpond's situation. Remember, this is the ISP whos abuse@
box auto-deleted complaints for "unacceptable language". When you're so
bad that AOL has to block you[2], you should probably consider cleaning
up your network.

Sadly these official policies of 'do nothing' come from the top, so
engineers and administrators who are in a position to actually take action
against blatant network abuse, are actually explicitly forbidden to take
any action.

So the real question seems to be how to effectively apply a cluebat to
CEOs to get a reasonable abuse policy enforced. Nanog can host all the
meetings it wants and members can write all the RFCs they want, but until
attitudes change at the top, nobody will be allowed to do anything at the
bottom.

-Dan

[1] The case of the NTL virus email machine
[2] AOL blocking BigPond mail because of spam

Hey, if you've got customes willing to shell out for that, then more
power to you. However, I'm not (and won't be) one of those customers.
I'm willing to take responsibility for protecting my systems and choosing
what traffic I do and don't want. I don't want someone else doing it
for me.

Hmmm... when you're driving on a public street there is certain safety
equipment you are required to have and use. You're paying more for your
vehicle because of seatbelts, airbags and all the other things that are
supposed to lessen the impact of an accident. Even if you're an expert
driver, you don't have the privilege of not paying for these features.

Adi

And how exactly does that translate to the online world?

Despite the safety and environmental regulations and the fact that you have to have a driver's license and insurance (at least here in NL), there is no requirement that your locks are industrial strength. Or that your car can be locked at all, for that matter.

The fact that a compromised computer doesn't really hurt you all that much in the real world is exactly the reason why so many users don't care about security. When driving a car they at least have to be drunk to reach that level of carelessness.