nanog mailing list archives

Re: Operation Ghost Click

From: "Livingood, Jason" <Jason_Livingood () cable comcast com>
Date: Tue, 1 May 2012 19:41:35 +0000

On 5/1/12 3:19 PM, "Valdis.Kletnieks () vt edu<mailto:Valdis.Kletnieks () vt edu>" <Valdis.Kletnieks () vt 
edu<mailto:Valdis.Kletnieks () vt edu>> wrote:

On Tue, 01 May 2012 10:40:57 -0400, Rich Kulawiec said:

Why haven't you cut these obviously-infected systems off entirely?

There's quite likely multiple systems behind a NAT-ish router, and Comcast doesn't have any real option but to nuke 
*all* the systems behind the router.
This can be a tad troublesome if there's one infected box behind the router, but the customer is also using VoIP of 
some sort from another box - you may just have nuked their 911 capability. Or if they have multiple systems, you may 
have killed their ability to transact basic business like contact their local government or pay their utility bills 
from a box that's not infected.

All of this above! Plus, the remediation tools to clean up an infection are insufficient to the task right now. Better 
tools are needed. (See also http://tools.ietf.org/html/rfc6561#section-5.4)


Jason

Current thread:

Re: Operation Ghost Click Livingood, Jason (May 01)
- Re: Operation Ghost Click Rich Kulawiec (May 01)
  - Re: Operation Ghost Click Andrew Latham (May 01)
  - Re: Operation Ghost Click Valdis . Kletnieks (May 01)
    - Re: Operation Ghost Click Livingood, Jason (May 01)
    - Re: Operation Ghost Click Leo Bicknell (May 01)
    - Re: Operation Ghost Click JC Dill (May 01)
    - Re: Operation Ghost Click Livingood, Jason (May 02)
    - Re: Operation Ghost Click Jeroen van Aart (May 02)
    - Re: Operation Ghost Click Valdis . Kletnieks (May 02)
    - Re: Operation Ghost Click Jeroen van Aart (May 02)
    - Re: Operation Ghost Click Christopher Morrow (May 02)
    - RE: Operation Ghost Click Eric Wieling (May 02)
    - Re: Operation Ghost Click Sean Harlow (May 02)
    - Re: Operation Ghost Click Jeroen van Aart (May 02)

(Thread continues...)