[Dshield] ISPs - How much monitoring is enough?

jayjwa jayjwa at atr2.ath.cx
Sat Jan 17 15:02:51 GMT 2004

On Fri, 16 Jan 2004, Brad Spencer wrote:

> >In the past, I had ISPs that scanned user systems for well
> >known trojan ports. I do see this as a nice service to
> >proactively identify infected systems. I don't think the
> >scan rates mentioned in this thread earlier are an issue.
> >(1 scan of a handful of ports / day).

> I'm no opponent of port scans made by ISPs - but why don't they go beyond
> that and make a more concerted attack on the real problem?  If anyone in a
> network segment is receiving traffic on an illicit port the ISP is in a
> position to determine that, by monitoring the traffic to that
> segment.  More than that, if the port in question is a standard port (SMTP,
> proxy) then the ISP is in a position to see if _others_, outside the ISP's
> space, are scanning those ports - by monitoring the traffic.

This could get out of hand real quick. You want your ISP watching your
traffic? Everything you send in email, ftp, http- all clear text. Security
on my system is my business, and I'd never sign-on with an ISP that
included scanning their clients periodically for

Jay RLF #37
jayjwa At

More information about the list mailing list