[Dshield] What is "average" reply/fightback ratio?

Deb Hale haled at pionet.net
Wed Jun 18 13:31:27 GMT 2003

David - I didn't get the feeling that anyone was complaining.  I felt that
it was simply a curious inquiry.  When I replied to the original email
message it was simply to state that I have not seen any responses to any of
the fightbacks that have been sent using my data.  

I agree with some of what you state here.  I agree that the ISP's are not in
the business to REPLY to anyone's complaints, however, I do HOPE that they
at least look at the information that is being sent to them and act where
appropriate.  Unfortunately,  I think more of them have your attitude about
their responsiblility. They feel that it is not THEIR problem that some
"stupid" home computer user has a virus/spyware/trojan, etc that is causing
their computer to spit out garbage that does clog up their pipe.  As long as
it doesn't significantly impact their bandwidth WHO CARES, right? The
problem is that all of these little fellor's may be setting up to someday
start a Ddos attack.  When that happens - their customers maybe down for
hours and sometimes days. What will this do to their bottomline?  When this
happens - they lose revenue - sleep - and sanity!  Wouldn't it be a lot
better for them if they stopped it before it gets that far?  

Frankly, I don't care if they REPLY to the fightback as long as they
RESPOND.  In other words, as long as they do something to fix the problem.

I am a huge fan of Dshield - I think Johannes and the rest of the staff at
ISC, Dshield and SANS do an outstanding job.  I have no criticism of them
whatsoever. If you look at my website you will see that I support the
efforts of these folks.  I have the warning banner on my web - I have links
to the maps, handler's incident, and both isc and dshield.  I am trying to
educate the ISP's in this community as well as the small business and home
computer users.  We can NOT expect anyone to fix something that they are not
aware is "broke". You missed this very important point. 

Dshield does help with early warnings. BUT what good is that going to do if
all of the ISP's ignore the warnings? 

This is my 2 cents.  I just wanted to show you perhaps a different point of


Deborah F Hale
Certified Business Continuity Professional/Computer Security Specialist
BCP Enterprise, Inc
Telephone: (712) 252-0361

-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
Of David Kennedy CISSP
Sent: Wednesday, June 18, 2003 1:03 AM
To: General DShield Discussion List
Subject: RE: [Dshield] What is "average" reply/fightback ratio?

This isn't the first thread lately that seems to be implying a complaint
about the relative efficiency of DShield fightback.  I empathize with
Johannes and the rest of the DShield/Incidents staff, these threads must be

Although I have fightback enabled, I really don't care if one of my reports
is used.  Ever.

First and foremost, DShield is free to me but not without costs to operate.
Something about looking a gift horse in the mouth comes to mind.  

Second, ISP's aren't in business to respond to anybody's complaints other
than their own customers.  ISP's pass traffic.  When I look at the stock
prices for those ISPs and NSPs that are publicly traded, they aren't exactly
leading the market out of recovery.  I have no reasonable expectation that
Wanadoo.fr is going to give the south end of a northbound rat about FTP
probes on my network over here in the US.  I have no reasonable expectation
that they're going to care about 10,000 FTP probes with targets all over the
world if none of them hit other Wanadoo customers.  They care if something
malicious is consuming bandwidth, like slammer.  They aren't going to spend
four million francs on bigger Cisco routers just so they can drop in ACLs to
block port 445 forever.  They'll spend four million francs to buy routers to
support twelve million francs in revenue and dropping in an ACL for some
security nut in the US just isn't going to generate revenue.  They don't
make money hiring and paying staff to field Zone Alarm reports.  They may
spend some good-will money on staff to do this, but it's good-will not
revenue that's the motivation and you have to wonder if their shareholders
are willing to sacrifice their PE for good will.  I can't over-emphasize,
ISPs make money by passing packets for the most number of customers paying
for the biggest pipes.  

Third, if the DShield crew decides to launch a fightback over 10,000 FTP
probes from Wanadoo, and my reports contributed to that 10K, I don't care if
my report is among those sent to Wanadoo.  They launched a fightback against
an egregious offender, great, they didn't use my report, well boo-hoo for
me.  DShield is showing ~26M reports today, I have no reasonable expectation
that even a few hundred FTP pokes in my direction is sufficiently
significant for me to *expect* a fightback from my reports.  

Since the days of Ramen and Adore DShield has been proving it's most
important value, aggregating reports to enable early warning of really big
problems.  Some warez puppy probing for stupid FTP hosts from Wanadoo isn't
a problem.  A new unix worm exploiting wu-ftpd is a problem.

I have plenty to do keeping the little corners of the Internet I worry about
healthy.  I don't contribute to DShield out of some desire to purge all the
bad packets from the Internet.  Internet big.  Badness everywhere. I protect
myself and my customers.  Expecting DShield generally and my reports
specifically to help clean up the Internet is not reasonable.

I enjoyed one of the fightback responses currently on the DShield home page
more than any other I can recall:

Date: Sat, 7 Jun 2003 14:16:03 +0200 

> This is an abuse notice meaning that one of your machines might
> be infected with a virus and is trying to infect other machines.
> See http://www.dshield.org/ for more information

We don't care, the major issue is that we don't want to receive this kind of
mail, because we're a large ISP and we have no control about our multiple
clients and their Windows systems. 

Your mail was annoying, so we simply filtered it out. We know that many of
them are infected even if we don't receive your mail. 


Jacques Doe isn't going to pay Wanadoo more for them telling him his W2K box
has Nimda.  

Freely substitute any ISP/NSP for Wanadoo, I just picked on them randomly,
I'm sure they're just a lovely ISP.  

David Kennedy CISSP                       \ / ASCII Ribbon Campaign
Protect what you connect;                  X  Against HTML Mail
Look both ways before crossing the Net.   / \

list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:

More information about the list mailing list