[Dshield] What is "average" reply/fightback ratio?
David Kennedy CISSP
david.kennedy at acm.org
Wed Jun 18 06:03:19 GMT 2003
This isn't the first thread lately that seems to be implying a complaint
about the relative efficiency of DShield fightback. I empathize with
Johannes and the rest of the DShield/Incidents staff, these threads must be
Although I have fightback enabled, I really don't care if one of my reports
is used. Ever.
First and foremost, DShield is free to me but not without costs to operate.
Something about looking a gift horse in the mouth comes to mind.
Second, ISP's aren't in business to respond to anybody's complaints other
than their own customers. ISP's pass traffic. When I look at the stock
prices for those ISPs and NSPs that are publicly traded, they aren't
exactly leading the market out of recovery. I have no reasonable
expectation that Wanadoo.fr is going to give the south end of a northbound
rat about FTP probes on my network over here in the US. I have no
reasonable expectation that they're going to care about 10,000 FTP probes
with targets all over the world if none of them hit other Wanadoo
customers. They care if something malicious is consuming bandwidth, like
slammer. They aren't going to spend four million francs on bigger Cisco
routers just so they can drop in ACLs to block port 445 forever. They'll
spend four million francs to buy routers to support twelve million francs
in revenue and dropping in an ACL for some security nut in the US just
isn't going to generate revenue. They don't make money hiring and paying
staff to field Zone Alarm reports. They may spend some good-will money on
staff to do this, but it's good-will not revenue that's the motivation and
you have to wonder if their shareholders are willing to sacrifice their PE
for good will. I can't over-emphasize, ISPs make money by passing packets
for the most number of customers paying for the biggest pipes.
Third, if the DShield crew decides to launch a fightback over 10,000 FTP
probes from Wanadoo, and my reports contributed to that 10K, I don't care
if my report is among those sent to Wanadoo. They launched a fightback
against an egregious offender, great, they didn't use my report, well
boo-hoo for me. DShield is showing ~26M reports today, I have no
reasonable expectation that even a few hundred FTP pokes in my direction is
sufficiently significant for me to *expect* a fightback from my reports.
Since the days of Ramen and Adore DShield has been proving it's most
important value, aggregating reports to enable early warning of really big
problems. Some warez puppy probing for stupid FTP hosts from Wanadoo isn't
a problem. A new unix worm exploiting wu-ftpd is a problem.
I have plenty to do keeping the little corners of the Internet I worry
about healthy. I don't contribute to DShield out of some desire to purge
all the bad packets from the Internet. Internet big. Badness everywhere.
I protect myself and my customers. Expecting DShield generally and my
reports specifically to help clean up the Internet is not reasonable.
I enjoyed one of the fightback responses currently on the DShield home page
more than any other I can recall:
Date: Sat, 7 Jun 2003 14:16:03 +0200
> This is an abuse notice meaning that one of your machines might
> be infected with a virus and is trying to infect other machines.
> See http://www.dshield.org/ for more information
We don't care, the major issue is that we don't want to receive this kind
of mail, because we're a large ISP and we have no control about our
multiple clients and their Windows systems.
Your mail was annoying, so we simply filtered it out. We know that many of
them are infected even if we don't receive your mail.
Jacques Doe isn't going to pay Wanadoo more for them telling him his W2K
box has Nimda.
Freely substitute any ISP/NSP for Wanadoo, I just picked on them randomly,
I'm sure they're just a lovely ISP.
David Kennedy CISSP \ / ASCII Ribbon Campaign
Protect what you connect; X Against HTML Mail
Look both ways before crossing the Net. / \
More information about the list