[Dshield] ISP Solution for complying with Dshield fightback?
sanjay.k.arora at gmail.com
Mon Nov 28 11:11:38 GMT 2005
On Sat, 2005-11-26 at 03:08 -0500, Valdis.Kletnieks at vt.edu wrote:
> On Fri, 25 Nov 2005 18:08:18 +0530, Sanjay Arora said:
> > I find that a major problem ISPs, especially the smaller ones face, is a
> It's not the smaller ones. Unless Comcast is a "smaller one" these days. :)
No comcast is not a smaller one ;-)) not in any imagination of Inter-
planetary ISPs ;-)
> The lack of software isn't the issue. The problem is that said providers
> have never bothered to implement the infrastructure this software will need.
> You could drop a fully customized Remedy solution (damn, it's a slick product,
> especially if you have in-house Remedy clue) on these people, and train them in
> its use, and it would do exactly *zero* to help them, because...
> ... they don't keep TACACS logs or caller-ID info on their inbound modem pool
> because they don't *understand* the need for it when their business model is
> "send a bill for $12.95 to every subscriber every month".
I agree...in fact I remember launch of a commercial product & service
combo that did this sort of thing for ISPs with a big price ticket...a
sort of GUI & automated service with their own dsheild like log
pooling...and I haven't seen any major improvements in service.
> On the other hand, a friend of mine and his SO run a local ISP. He certainly
> qualifies as one of these "smaller ones". And you know what? He's able to
> run a *very* tight ship using just a few very small tools. One, given a
> suspect IP address, greps the logs and produces a customer account number.
> Another, given an account, produces a phone number. I think that end of
> his business is all of 75 lines of code, mostly pretty-printing.
> Oh, and he's no dummy - he uses "We'll call you when the big companies won't"
> as a selling point. It's one of the reasons his customers prefer him. ;)
However, I still stand by my point...for the small & medium ones,
especially those that are not techie owned or run...those that face a
shortage of capable sys-admins and are having a lot of new recruits
doing the routine job...this sort of software should be a boon.
My own ISP here in India has to do this manually...I distinctly remember
a time when I complained of getting attempts to ssh port from an IP that
belonged to my ISP himself and voila...attempts ceased...until I tried
to ssh in from my home and found that the guy had blocked the ssh port
on my own IP ;-)
Multiple phone calls later I got to a senior sys-admin who resolved the
problem, but did nothing except to warn the customer of offending IP.
Follow-ups revealed that staff-churn & new recruits for most jobs had
created to tiers in the company...capable sys-admins who were allowed
command-line access to firewalls & routers & those who did routine jobs
from GUIs like releasing MAC addresses of ppoe connections, diagnosing
problems to best of their ability etc.
I think that an open source frontend operable by Helpdesk Staff, with
minimal sysadmin capabilities, with plugins for lower layer architecture
say iptables or IPfilter or pf, is a must if we want to see real action
from the offenders...at least those who would be agreeable to do
something provided it was easy to do.
In fact, I am surprised that there is no such effort. Just think of a
system where Dshield has a...say xml structured complaint to the ISP,
which automatically gets recorded into the ISPs abuse workflow, action
is taken, again information flows back in structured format to the
I think this is a discussion worth making in this forum. A small start
would go long ways in years to come. But that's my thinking.
More information about the list