[Dshield] Commentary on how to deal with infected users who failto clean up their acts! [Fwd: [NANOG] Even you can be hacked

Roger Buck rog at saas.nsw.edu.au
Mon Jun 14 00:01:06 GMT 2004

Jon R. Kibler wrote:
> Roger Buck wrote:
> <SNIP!>
>>Unfortunately, the analogy is not valid for those of us who are paying
>>ISP bills based on metered traffic. It also conveniently overlooks the
>>fact that _everyone_ is paying a significant 'tax' for unwanted Internet
>>traffic: Especially the unwanted traffic generated by most of the recent
>>(12-18 months) Internet worms.
> <SNIP!>
> Sounds like it is time for an ISP change!

Change of country maybe - don't forget that everywhere is not like the USA.

In Australia, most ISP's will charge for both outbound and inbound 
traffic for commercial quality Internet connectivity (anything equal to 
or greater than 512/512 SDSL!). The ISP's themselves are often subject 
to the same billing style by the wholesaler (mainly Australian Telco's). 
Domestic users are usually subject to bandwidth throttling instead.

I understand the point of the original post. This response was meant as 
a "reminder" - not meant as a criticism: A reminder that there is an 
additional and very significant hidden community cost for virus related 
traffic - no matter how competently the end user configures their own 
firewall / network.

The clients' view is that this is unwanted traffic that never appears on 
the inside of the firewall. They are refusing /dropping the unwanted 
traffic at the gateway interface between them and their ISP and that is 
the most they can do.

The ISP's view this as an end user problem. The ISP simply delivers the 
traffic to you and you have the choice of either paying the bill or 
disconnecting your network.

Many commercial organisations have no idea of the amount of unwanted 
traffic they are dropping at the gateway - In Australia, I have seen 
this traffic rise to a ratio of 9 or 10:1 (nine times more unwanted 
traffic (incoming) than valid incoming traffic, for extended periods 
(24x7 weeks or months) - especially where the gateway is routing one or 
more public IP blocks. This means that some Australian corporates / 
Government departments often unknowingly pay up to 900% or more than 
they need to pay for the actual traffic they are using (I do have real 
data to back this up!).

So long as ISP's profit from the generation of such traffic and end 
users ignore it, then unwanted traffic is likely to continue relatively 


More information about the list mailing list