Recommendations for the Remediation of Bots in ISP Networks
draft-oreirdan-mody-bot-remediation-20
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2012-01-17
|
20 | (System) | IANA Action state changed to No IC |
2012-01-13
|
20 | Cindy Morgan | State changed to RFC Ed Queue from Approved-announcement sent. |
2012-01-12
|
20 | Cindy Morgan | IESG state changed to Approved-announcement sent |
2012-01-12
|
20 | Cindy Morgan | IESG has approved the document |
2012-01-12
|
20 | Cindy Morgan | Closed "Approve" ballot |
2012-01-12
|
20 | Cindy Morgan | Approval announcement text regenerated |
2012-01-12
|
20 | Cindy Morgan | Ballot writeup text changed |
2012-01-09
|
20 | (System) | New version available: draft-oreirdan-mody-bot-remediation-20.txt |
2012-01-06
|
19 | (System) | New version available: draft-oreirdan-mody-bot-remediation-19.txt |
2011-12-15
|
20 | Cindy Morgan | Removed from agenda for telechat |
2011-12-15
|
20 | Cindy Morgan | State changed to Approved-announcement to be sent::Point Raised - writeup needed from IESG Evaluation - Defer. |
2011-12-15
|
20 | Gonzalo Camarillo | [Ballot Position Update] New position, No Objection, has been recorded |
2011-12-15
|
20 | Dan Romascanu | [Ballot comment] Good document. All my comments are related to Section 5: 1. > It should be possible for the end user to indicate the … [Ballot comment] Good document. All my comments are related to Section 5: 1. > It should be possible for the end user to indicate the preferred means of notification on an opt-in basis for that notification method. It is recommended that the end user should not be allowed to totally opt out of notification entirely. It looks like either 'totally' or 'entirely' is redundant 2. I would expect notifications by management protocols like SNMP and NETCONF be also described in this section 3. The danger of DoS attacks by flasely reporting of bots via notifications shoulsd also be mentioned as a major security concern |
2011-12-15
|
20 | Dan Romascanu | [Ballot Position Update] New position, No Objection, has been recorded |
2011-12-15
|
20 | Jari Arkko | [Ballot comment] Thanks for writing this. |
2011-12-15
|
20 | Jari Arkko | [Ballot Position Update] New position, Yes, has been recorded |
2011-12-14
|
20 | Ron Bonica | [Ballot comment] Minor comments: Section 1.3 - Do we really need to define the word host Section 1.5 - When IPv6 takes off, you will … [Ballot comment] Minor comments: Section 1.3 - Do we really need to define the word host Section 1.5 - When IPv6 takes off, you will see fast-flux using AAAA records |
2011-12-14
|
20 | Ron Bonica | [Ballot Position Update] New position, Yes, has been recorded |
2011-12-13
|
20 | Pete Resnick | [Ballot comment] 1.1 - I have never heard of "benign bots" before. Is this an invention of the authors or is it used in some … [Ballot comment] 1.1 - I have never heard of "benign bots" before. Is this an invention of the authors or is it used in some circles? I would prefer if the document referred to only the malicious applications as "bots" and referred to the benign applications as "background applications" or "daemons" or "background processes". I think it is still important to point out that such applications should not be monitored for or prevented from functioning. 1.2 - "Bot Networks or Botnets" is better defined as "a group of bots that are remotely controlled by a single party". The first sentence of 1.2 is circular. I know what all of those malicious activities are, but it might be useful to define some of them. "Infection vectors" is undefined. So are a bunch of the terms in that paragraph. Much of this section assumes a familiarity by the reader. If the reader was this familiar with the material, this section wouldn't be necessary. Similarly with 1.4. 1.5 - The information in the two paragraphs is reversed, burying the important point: Compromised hosts are used as proxies to web servers in order to hide the IP address of the server itself. This is *accomplished* by DNS Fast Fluxing. 10. - Some of the activities outlined in section 3 should be called out specifically with regard to privacy considerations. A reference to RFC 4948 seems pretty essential. I'm surprised not to see some of the information that appears in that document in this one. |
2011-12-13
|
20 | Pete Resnick | [Ballot Position Update] New position, No Objection, has been recorded |
2011-12-12
|
20 | Adrian Farrel | [Ballot comment] Thanks for a very readable document with a lot of valuable information. I have a few small conversation topics that I would appreciate … [Ballot comment] Thanks for a very readable document with a lot of valuable information. I have a few small conversation topics that I would appreciate you thinking about and addressing if you can see a way forward. --- I am surprised by the statement in the Abtract that a user with an infected computer is exposed to the risk of phishing. Te seond statement that their computer might be used as an inadvertent participant in a phishing network sounds more reasonable. --- I wonder whether Section 5 needs to consider the risks of notifications after false positives, and the problems caused by false notifications as a form of attack. --- Section 7 upset me a little. Recognising the need of ISPs to protect their businesses, I also see the need to continue to provide servie to vulnerable people who cannot be expected to protect their computers. In view of this, you might discuss the service providers' duty to ensure that hosts connected to their network cannot become infected with bots through data transfered across the service providers' networks. Or you might just drop the text about account termination. |
2011-12-12
|
20 | Adrian Farrel | [Ballot Position Update] New position, No Objection, has been recorded |
2011-11-30
|
20 | Ron Bonica | State changed to IESG Evaluation - Defer from IESG Evaluation. |
2011-11-30
|
20 | Sean Turner | [Ballot Position Update] New position, No Objection, has been recorded |
2011-11-30
|
20 | Miguel García | Request for Last Call review by GENART Completed. Reviewer: Miguel Garcia. |
2011-11-29
|
20 | Wesley Eddy | [Ballot comment] This is a good document. I am not at all an expert in this area, but my only comment is that it seems … [Ballot comment] This is a good document. I am not at all an expert in this area, but my only comment is that it seems like there may be some liability to the ISP in attempting to detect bot infections because they may then need to bear the burden to report criminal activity that they witness. I'm sure commercial ISPs have considered this in their policies, but I didn't notice it clearly mentioned in the document. |
2011-11-29
|
20 | Wesley Eddy | [Ballot Position Update] New position, Yes, has been recorded |
2011-11-29
|
20 | Peter Saint-Andre | [Ballot comment] Overall this is a helpful document. I have a few comments and suggestions. In Section 1.2: OLD The detection and destruction … [Ballot comment] Overall this is a helpful document. I have a few comments and suggestions. In Section 1.2: OLD The detection and destruction of bots is an ongoing issue and also a constant battle between the Internet security community, network security engineers and bot developers. NEW The detection and destruction of bots is an ongoing issue and also a constant battle between the Internet security community and network security engineers on the one hand and bot developers on the other. P2P is not a communication protocol, it is an architectural approach. It is a bit odd to speak of the "introduction" of HTTP, given that HTTP was invented over 20 years ago. The document sometimes conflates bots and botnets. For example: As a consequence, botnets that are initially detected and classified by the ISP as one particular type of bot need to be continuously monitored and tracked in order to identify correctly the threat the botnet poses at any particular point in time. Although a botnet consists of bots, not all bots are part of a botnet (and we certainly can't say that a botnet can be classified as a type of bot, as in the quoted paragraph). |
2011-11-29
|
20 | Peter Saint-Andre | [Ballot Position Update] New position, No Objection, has been recorded |
2011-11-29
|
20 | Russ Housley | [Ballot Position Update] New position, No Objection, has been recorded |
2011-11-29
|
20 | Robert Sparks | [Ballot Position Update] New position, No Objection, has been recorded |
2011-11-28
|
20 | Stewart Bryant | [Ballot comment] There is the outstanding issue of verifying that the IPR issues noted by the Shepherd have been fully resolved. I am sure that … [Ballot comment] There is the outstanding issue of verifying that the IPR issues noted by the Shepherd have been fully resolved. I am sure that Stephen will verify the resolution before issuing a publication request, and thus am highlighting this issue as a comment. ===== "An ISP may use Netflow [RFC3954]" I would think that the the standards based solution IPFIX [RFC5101] would be a better reference. ===== |
2011-11-28
|
20 | Stewart Bryant | [Ballot Position Update] New position, No Objection, has been recorded |
2011-11-17
|
20 | Jean Mahoney | Request for Last Call review by GENART is assigned to Miguel Garcia |
2011-11-17
|
20 | Jean Mahoney | Request for Last Call review by GENART is assigned to Miguel Garcia |
2011-11-04
|
20 | Miguel García | Request for Telechat review by GENART Completed. Reviewer: Miguel Garcia. |
2011-11-01
|
20 | Jean Mahoney | Request for Telechat review by GENART is assigned to Miguel Garcia |
2011-11-01
|
20 | Jean Mahoney | Request for Telechat review by GENART is assigned to Miguel Garcia |
2011-10-28
|
20 | Sam Weiler | Request for Last Call review by SECDIR Completed. Reviewer: Paul Hoffman. |
2011-10-26
|
20 | Stephen Farrell | Ballot writeup text changed |
2011-10-26
|
18 | (System) | New version available: draft-oreirdan-mody-bot-remediation-18.txt |
2011-10-26
|
20 | Stephen Farrell | Placed on agenda for telechat - 2011-12-01 |
2011-10-26
|
20 | Stephen Farrell | State changed to IESG Evaluation from Waiting for AD Go-Ahead::AD Followup. |
2011-10-26
|
20 | Stephen Farrell | [Ballot Position Update] New position, Yes, has been recorded for Stephen Farrell |
2011-10-26
|
20 | Stephen Farrell | Ballot has been issued |
2011-10-26
|
20 | Stephen Farrell | Created "Approve" ballot |
2011-10-26
|
20 | Stephen Farrell | Ballot writeup text changed |
2011-10-26
|
20 | Stephen Farrell | Ballot writeup text changed |
2011-10-26
|
20 | (System) | Sub state has been changed to AD Follow up from New Id Needed |
2011-10-26
|
17 | (System) | New version available: draft-oreirdan-mody-bot-remediation-17.txt |
2011-10-24
|
20 | Stephen Farrell | State changed to Waiting for AD Go-Ahead::Revised ID Needed from Waiting for AD Go-Ahead::AD Followup. |
2011-10-23
|
20 | Stephen Farrell | State changed to Waiting for AD Go-Ahead::AD Followup from Waiting for AD Go-Ahead. |
2011-10-21
|
20 | (System) | State changed to Waiting for AD Go-Ahead from In Last Call. |
2011-10-10
|
20 | Sam Weiler | Request for Last Call review by SECDIR is assigned to Paul Hoffman |
2011-10-10
|
20 | Sam Weiler | Request for Last Call review by SECDIR is assigned to Paul Hoffman |
2011-09-28
|
20 | Amanda Baber | We understand that this document doesn't require any IANA actions. |
2011-09-23
|
20 | Amy Vezza | Last call sent |
2011-09-23
|
20 | Amy Vezza | State changed to In Last Call from Last Call Requested. The following Last Call Announcement was sent out: From: The IESG To: IETF-Announce Reply-To: ietf@ietf.org … State changed to In Last Call from Last Call Requested. The following Last Call Announcement was sent out: From: The IESG To: IETF-Announce Reply-To: ietf@ietf.org Subject: Last Call: (Recommendations for the Remediation of Bots in ISP Networks) to Informational RFC The IESG has received a request from an individual submitter to consider the following document: - 'Recommendations for the Remediation of Bots in ISP Networks' as an Informational RFC The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2011-10-21. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract This document contains recommendations on how Internet Service Providers can manage the effects of computers used by their subscribers, which have been infected with malicious bots, via various remediation techniques. Internet users with infected computers are exposed to risks such as loss of personal data, as well as increased susceptibility to online fraud and/or phishing. Such computers can also become an inadvertent participant in or component of an online crime network, spam network, and/or phishing network, as well as be used as a part of a distributed denial of service attack. Mitigating the effects of and remediating the installations of malicious bots will make it more difficult for botnets to operate and could reduce the level of online crime on the Internet in general and/or on a particular Internet Service Provider's network. The file can be obtained via http://datatracker.ietf.org/doc/draft-oreirdan-mody-bot-remediation/ IESG discussion can be tracked via http://datatracker.ietf.org/doc/draft-oreirdan-mody-bot-remediation/ No IPR declarations have been submitted directly on this I-D. |
2011-09-23
|
20 | Stephen Farrell | Elwyn Davies' PROTO write up for this below. Document Shepherd write up for draft-oreirdan-mody-bot-remediation-16 (1.a) Who is the Document … Elwyn Davies' PROTO write up for this below. Document Shepherd write up for draft-oreirdan-mody-bot-remediation-16 (1.a) Who is the Document Shepherd for this document? Has the Document Shepherd personally reviewed this version of the document and, in particular, does he or she believe this version is ready for forwarding to the IESG for publication? Elwyn Davies I have personally reviewed the document and believe that it is ready for forwarding to the IESG. (1.b) Has the document had adequate review both from key members of the interested community and others? Does the Document Shepherd have any concerns about the depth or breadth of t= he reviews that have been performed? Although this is an individual submission, the document has been reviewed in The Messaging Anti-Abuse Working Group (MAAWG) (http://www.maawg.org). The draft represents an update of a document published by the MWAAG in 2009 (Common Best Practices for Mitigating Large Scale Bot Infections in Residential Networks - http://www.maawg.org/sites/maawg/files/news/MAAWG_Bot_Mitig ation_BP_2009-07.pdf). The draft also lists 25 individuals who have contributed to or reviewed the document some of whom are well known in the IETF. There is also significant membership overlap between the MWAAG and the IETF. The document has been discussed on= the OPSEC mailing list. Some review has also been received on the SAAG mailing list. Thus I believe that the document has been adequately reviewed. (1.c) Does the Document Shepherd have concerns that the document needs mo= re review from a particular or broader perspective, e.g., security, operational complexity, someone famili= ar with AAA, internationalization or XML? No. (1.d) Does the Document Shepherd have any specific concerns or issues with this document that the Responsible Area Director and/or the IESG should be aware of? For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it. In any event, if the interested community has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here. Technically I am happy with the document. The only concern that I had regards IPR. The main body of the document is an update of a document published by the MWAAG and as such shares much of its text with the MWAAG document mentioned at 1.b. The documents have common authors. The MWAAG claims copyright on their document. Thus the copyright position of the Internet Draft needs to be clarified. I understand that the authors of the MWAAG document have indicated that they are happy for the text to be published as an RFC. In all probability a fomal statement will be needed from the MWAAG. Arguably the document could be put forwards in the BCP cate= gory as opposed to Informational. (1.e) How solid is the consensus of the interested community behind this document? Does it represent the strong concurrence of a few individuals, with others being silent, or does the interested community as a whole understand and agree with it? Judging from the membership roster of the MWAAG, the concensus appears to be solid. (1.f) Has anyone threatened an appeal or otherwise indicated extreme discontent? If so, please summarize the areas of conflict in separate email messages to the Responsible Area Director. No. (1.g) Has the Document Shepherd personally verified that the document satisfies all ID nits? (See http://www.ietf.org/ ID-Checklist.html and http://tools.ietf.org/tools/idnits/). Boilerplate checks are not enough; this check needs to be thorough. Has the document met all formal review criteria it needs to, such as the MIB Doctor, media type and URI type reviews? ID Nits - OK (Need to check IPR issue) No other sorts of review are relevant. (1.h) Has the document split its references into normative and informative? Are there normative references to documents that are not ready for advancement or are otherwise in an= unclear state? If such normative references exist, what is the strategy for their completion? Are there normative references that are downward references, as described in [RFC3967] (Bush, R. and T. Narten, "Clarifying when Standards Track Documents may Refer Normatively to Documents at a Lower Level," December 2004.)? If so, list these downward references to support the Area Director in the Last Call procedure for them [RFC3967] (Bush, R. and T. Narten, "Clarifying when Standards Track Documents may Refer Normatively to Documents at a L= ower Level," December 2004.). The document is informational. All references are correctl= y classed as informative. (1.i) Has the Document Shepherd verified that the document IANA consideration section exists and is consistent with the body of the document? If the document specifies protocol extens= ions, are reservations requested in appropriate IANA registries? Are the IANA registries clearly identified? If the document creates a new registry, does it define the proposed initial contents of the registry and an allocation procedure for future registrations? Does it suggest a reasonable name for the new registry? See [RFC5226]. If the document describes an Expert Review process has Shepherd conferred with the Responsible Area Director so that the IESG can appoint the needed Expert during the IESG Evaluation? Yes (No IANA actions required). (1.j) Has the Document Shepherd verified that sections of the document that are written in a formal language, such as XML code, BNF rules, MIB definitions, etc., validate correctly in an automated checker? Yes - No such sections present. (1.k) The IESG approval announcement includes a Document Announcement Write-Up. Please provide such a Document Announcement Writeup? Recent examples can be found in the "Action" announcements for approved documents. The approval announcement contains the following sections: Technical Summary This document contains recommendations on how Internet Service Providers can manage the effects of computers used by their subscribers, which have been infected with malicious bots, via various remediation techniques. Internet users with infected computers are exposed to risks such as loss of personal data, as well as increased susceptibility to online fraud and/or phishing. Such computers can also become an inadvertent participant in or component of an online crime network, spam network, and/or phishing network, as well as be used as a part of a distributed denial of service attack. Mitigating the effects of and remediating the installations of malicious bots will make it more difficult for botnets to operate and could reduce the level of online crime on the Internet in general and/or on a particular Internet Service Provider's network. Working Group Summary N/A - This document is an Individual Submission sponsored by an= Area Director. Document Quality The document reflects accepted best practice promulgated by The Messaging Anti-Abuse Working Group (MAAWG) (http://www.maawg.org) outside the IETF. The document has been reviewed on the IETF OPSEC mailing list notably by Joel Jaeggli and Danny McPherson among others. Personnel Document Shepherd: Elwyn Davies Responsible/Sponsoring Area Director: Stephen Farrell |
2011-09-23
|
20 | Stephen Farrell | Last Call was requested |
2011-09-23
|
20 | (System) | Ballot writeup text was added |
2011-09-23
|
20 | (System) | Last call text was added |
2011-09-23
|
20 | (System) | Ballot approval text was added |
2011-09-23
|
20 | Stephen Farrell | State changed to Last Call Requested from AD is watching. |
2011-09-23
|
20 | Stephen Farrell | Last Call text changed |
2011-09-21
|
16 | (System) | New version available: draft-oreirdan-mody-bot-remediation-16.txt |
2011-09-20
|
15 | (System) | New version available: draft-oreirdan-mody-bot-remediation-15.txt |
2011-09-01
|
14 | (System) | New version available: draft-oreirdan-mody-bot-remediation-14.txt |
2011-08-22
|
20 | Stephen Farrell | State Change Notice email list has been changed to elwynd@folly.org.uk, jason_livingood@cable.comcast.com, nirmal_mody@cable.comcast.com, michael_oreirdan@cable.comcast.com, draft-oreirdan-mody-bot-remediation@tools.ietf.org from jason_livingood@cable.comcast.com, nirmal_mody@cable.comcast.com, michael_oreirdan@cable.comcast.com, … State Change Notice email list has been changed to elwynd@folly.org.uk, jason_livingood@cable.comcast.com, nirmal_mody@cable.comcast.com, michael_oreirdan@cable.comcast.com, draft-oreirdan-mody-bot-remediation@tools.ietf.org from jason_livingood@cable.comcast.com, nirmal_mody@cable.comcast.com, michael_oreirdan@cable.comcast.com, draft-oreirdan-mody-bot-remediation@tools.ietf.org |
2011-08-22
|
20 | Stephen Farrell | Draft added in state AD is watching |
2011-07-07
|
13 | (System) | New version available: draft-oreirdan-mody-bot-remediation-13.txt |
2011-06-10
|
12 | (System) | New version available: draft-oreirdan-mody-bot-remediation-12.txt |
2011-06-03
|
11 | (System) | New version available: draft-oreirdan-mody-bot-remediation-11.txt |
2010-12-02
|
10 | (System) | New version available: draft-oreirdan-mody-bot-remediation-10.txt |
2010-06-06
|
09 | (System) | New version available: draft-oreirdan-mody-bot-remediation-09.txt |
2010-04-21
|
08 | (System) | New version available: draft-oreirdan-mody-bot-remediation-08.txt |
2010-02-12
|
07 | (System) | New version available: draft-oreirdan-mody-bot-remediation-07.txt |
2010-02-10
|
06 | (System) | New version available: draft-oreirdan-mody-bot-remediation-06.txt |
2010-02-10
|
05 | (System) | New version available: draft-oreirdan-mody-bot-remediation-05.txt |
2010-02-08
|
04 | (System) | New version available: draft-oreirdan-mody-bot-remediation-04.txt |
2009-09-15
|
03 | (System) | New version available: draft-oreirdan-mody-bot-remediation-03.txt |
2009-09-11
|
02 | (System) | New version available: draft-oreirdan-mody-bot-remediation-02.txt |
2009-08-26
|
01 | (System) | New version available: draft-oreirdan-mody-bot-remediation-01.txt |
2009-07-06
|
00 | (System) | New version available: draft-oreirdan-mody-bot-remediation-00.txt |