[Dshield] paper about port blocking

Johannes Ullrich jullrich at euclidian.com
Wed Sep 3 22:48:06 GMT 2003

On Wed, 2003-09-03 at 17:33, Jonathan Rickman wrote:
> Broadband ISPs should ship devices that support at least some 
> form of static packet filtering, and have it locked down by default. 

Many DSL / Cable modems do support some form of port filtering. However,
maintaining these devices can be a pain. In particular as you may end up
with different versions or brands over time. However, from a security
aspect that would be great.

> but ISPs could absorb 
> the costs over time due to the reduced time spent playing whack-a-mole with 
> infections. 

The cost issue is something I am still looking for hard numbers.
Responding here partially to a different reply: I agree that the
"official" estimates are not all that reliable and may be inflated.
However, it does cost money to respond to help desk calls.

I figure, that most large ISPs have at this point about 2% of infected
users. Given that there are about 25 Million broadband users in the US
alone, this makes for about 500,000 infected systems. If each one of
them causes a single support call ( about $10 per call), this makes
up $5,000,000 in damage, or about $2 per user to spend on "protection".
$2 doesn't buy a firewall. But it does buy time to maintain some rules
on existing firewalls.

Johannes Ullrich                     jullrich at euclidian.com
pgp key: http://johannes.homepc.org/PGPKEYS
   "We regret to inform you that we do not enable any of the 
    security functions within the routers that we install."
         support at covad.net

More information about the list mailing list