[Dshield] Interesting Zombie Data Graphs
Faraone, Joseph A.
joseph.faraone at unisys.com
Wed Nov 9 13:58:15 GMT 2005
To follow up on Pete's idea. The $300 bill might be Draconian, but try
this on for size...
I'd proposed an "Internet Driver's License" a while back in several
forums I teach/speak/rant to. This driver's license nothing that will
get you thru security at an airport, but it's regulated by the ISP.
All the new customer/subscriber has to do is take and pass a simple
online test prior to being allowed out of the ISP's intranet/sandbox
onto the big, bad Internet. The test would consist of required reading
followed by questions on safety tips -- think of your favorite
"Security for Idiots" questions... The new subscriber would then have
to either have or download from the ISP freeware (or paid-up commercial)
anti-virus, personal firewall, anti-spyware, etc. prior to being allowed
out of the sandbox. (many offer this option today.)
Once successful, the customer's IP/MAC address is allowed to roam
If there's indications of infection or zombie behavior, the customer's
IP goes into quarantine until cleaned.
Is this a simple concept? Yep. Polyanna? Probably. It's not so "easy"
for the Bellsouths/Comcasts of the world to implement simply because it
Joe Faraone, CISSP
Senior Security Solutions Architect
Federal Systems INFOSEC Group
Date: Tue, 8 Nov 2005 08:15:09 -0800 (PST)
From: Pete Cap <peteoutside at yahoo.com>
Subject: Re: [Dshield] Interesting Zombie Data Graphs
To: General DShield Discussion List <list at lists.dshield.org>
Message-ID: <20051108161509.11529.qmail at web52412.mail.yahoo.com>
Content-Type: text/plain; charset=iso-8859-1
Here's an idea:
Require all customers to exercise some level of due
diligence: you must have a virus scanner, you must have a personal
firewall, etc. The ISP is paying for bandwidth and passing the cost onto
the customer; if the customer refuses to take advantage of the free,
automated, and typically transparent security tools available, then by
all means the ISP should pass the extra cost onto the end-user. I
guarantee that after the first time Joe User gets slapped with a $300
cable bill, he won't be so careless.
Obviously you're not going to nail every customer who gets hacked or
zombied by the worm-du-jour. If it's something they could not reasonably
be expected to prevent, taking into consideration the average (low)
level of technical expertise on the part of the users, then don't charge
them. That is, if it was a worm with a 0-day exploit that zombies half
the internet, don't charge them. But if they get a worm for which
signatures were released three weeks ago...well...sorry, you signed the
user agreement, buddy.
Finally, and this is very important, make SURE the customer understands
this when they sign up. Link to AVG and ZoneAlarm from your main
website. Give them some kind of three-strikes policy if you want to be
really nice. But, in the end, they will learn not to be a danger to the
rest of the user community, or they will pay for it either through their
wallet, by getting their access revoked, or both.
I don't think that's too draconian a policy, let me know if it sounds
crazy, though :)
More information about the list