[Dshield] ISPs - How much monitoring is enough?

Pete Cap peteoutside at yahoo.com
Fri Jan 16 23:04:29 GMT 2004


Brad,
 
You're arguing for the ISP to have traffic analysts onhand as part of their security detail?
Fair enough, but as I have observed before...99% of IT people are not security people.  Good luck trying to convince them.

Brad Spencer <brad.madison at mail.tds.net> wrote:
At 08:27 AM 1/16/2004 -0500, you wrote:

>In the past, I had ISPs that scanned user systems for well
>known trojan ports. I do see this as a nice service to
>proactively identify infected systems. I don't think the
>scan rates mentioned in this thread earlier are an issue.
>(1 scan of a handful of ports / day).


I'm no opponent of port scans made by ISPs - but why don't they go beyond 
that and make a more concerted attack on the real problem? If anyone in a 
network segment is receiving traffic on an illicit port the ISP is in a 
position to determine that, by monitoring the traffic to that 
segment. More than that, if the port in question is a standard port (SMTP, 
proxy) then the ISP is in a position to see if _others_, outside the ISP's 
space, are scanning those ports - by monitoring the traffic. I recognize 
that a large ISP will have a huge traffic flow and that monitoring that 
huge flow could prove difficult or expensive. Ultimately the flow fans out 
to smaller flows, and monitoring could be done there. It doesn't have to 
be 24/7 monitoring - sampling would find some of the abuse. Finding _some_ 
is enough to get adequate evidence to report to the ISP responsible for the 
IP that's the origin of the illicit scan.

DShield participants regularly see such traffic. Isn't it evidence that is 
adequate for the ISP at the source end to act, even if the act is no more 
than to watch the traffic from the identified source IP? How many 
legitimate reasons are there for someone on ISP A to be scanning ports in 
ISP B's space? It would seem to me better to have TOS that prohibit such 
activity and for the ISP to promptly terminate the account of anyone who 
violates that part of the TOS.

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

---------------------------------
Do you Yahoo!?
Yahoo! Hotjobs: Enter the "Signing Bonus" Sweepstakes


More information about the list mailing list