[Dshield] ISPs - How much monitoring is enough?

Johannes B. Ullrich jullrich at sans.org
Fri Jan 16 13:27:23 GMT 2004

I think regular port scans are ok. However, the ISP should
state that they do so in their AUP. As far as the US is
concerned, there shouldn't be a legal problem if the user
signed off on such an AUP.

In the past, I had ISPs that scanned user systems for well
known trojan ports. I do see this as a nice service to 
proactively identify infected systems. I don't think the
scan rates mentioned in this thread earlier are an issue.
(1 scan of a handful of ports / day).

After all, if you have subseven running on your system, wouldn't 
you appreciate a call from your ISP asking you to check?

Of course, ISPs use port scans like this not just to find 
SubSeven, but they use it to find web/ftp servers as well, if
your AUP states that you are not supposed to run any servers
(many 'residential' AUPs state this). Again: Its part of the AUP
you signed, so there shouldn't be a problem with the ISP
enforcing it. Users that run servers will cost them more money,
so they will charge you more.

In many areas you have some choice in ISPs, so you should be able
to pick one with an AUP you like, in particular if you are
willing to pay for a certain amount of freedom. If you want
to send spam, and get each week a new /16 to avoid blacklisting,
there are ISPs just for that purpose. Its just a matter of how
much you are willing to pay.

CTO SANS Internet Storm Center               http://isc.sans.org
phone: (617) 837 2807                          jullrich at sans.org 

contact details: http://johannes.homepc.org/contact.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20040116/16d26094/attachment.bin

More information about the list mailing list