[Dshield] ISPs - How much monitoring is enough?
brad.madison at mail.tds.net
Fri Jan 16 13:43:22 GMT 2004
At 08:27 AM 1/16/2004 -0500, you wrote:
>In the past, I had ISPs that scanned user systems for well
>known trojan ports. I do see this as a nice service to
>proactively identify infected systems. I don't think the
>scan rates mentioned in this thread earlier are an issue.
>(1 scan of a handful of ports / day).
I'm no opponent of port scans made by ISPs - but why don't they go beyond
that and make a more concerted attack on the real problem? If anyone in a
network segment is receiving traffic on an illicit port the ISP is in a
position to determine that, by monitoring the traffic to that
segment. More than that, if the port in question is a standard port (SMTP,
proxy) then the ISP is in a position to see if _others_, outside the ISP's
space, are scanning those ports - by monitoring the traffic. I recognize
that a large ISP will have a huge traffic flow and that monitoring that
huge flow could prove difficult or expensive. Ultimately the flow fans out
to smaller flows, and monitoring could be done there. It doesn't have to
be 24/7 monitoring - sampling would find some of the abuse. Finding _some_
is enough to get adequate evidence to report to the ISP responsible for the
IP that's the origin of the illicit scan.
DShield participants regularly see such traffic. Isn't it evidence that is
adequate for the ISP at the source end to act, even if the act is no more
than to watch the traffic from the identified source IP? How many
legitimate reasons are there for someone on ISP A to be scanning ports in
ISP B's space? It would seem to me better to have TOS that prohibit such
activity and for the ISP to promptly terminate the account of anyone who
violates that part of the TOS.
More information about the list