[Dshield] DShield's Public Goals

Chris Brenton cbrenton at chrisbrenton.org
Fri Jan 6 03:38:58 GMT 2006

On Thu, 2006-01-05 at 19:47 -0500, M Cook wrote:
> I must say, though, that I still am in favor of ISPs doing more to 
> filter out bad stuff from or to their low-end customers.

Just out of curiosity, have you ever had your connectivity blocked by an
ISP doing filtering? I find that most folks who think its a good idea
have yet to bang their head off of that wall. Once they do they quickly
hate the idea. I also thought this was a good idea till I had a brain
dead upstream filter out all ICMP in an attempt to limit an attack.

This needs to be an SLA thing. If the agreement states the ISP will be
filtering and specifies the services that will be blocked, life is cool.
Otherwise you end up chasing your tail trying to troubleshoot a problem
you can never fix.

> You may handle 
> your mail and other services more securely than your ISP, but most of 
> their other customers are completely clueless.

Most people have at least a few car accidents in the course of a
lifetime. Does this mean we should ban everyone except an elite few from
using automobiles? A proper solution should focus on the actual problem,
not be so broad that it collaterally impacts the folks that know what
they are doing. 

> There seems to be a booming sale in A/V products, but there must 
> be gobs of machines out there that are not protected, else why would 
> there still be so many viruses --

There are still so many viruses because the A/V process is flawed. Back
before we had an Internet it worked fine. This was because you could
easily grab an update long before you saw the infected floppy disk that
was going to try and do evil things to your system. With the growth of
the Internet, viruses have the ability to propagate much faster than the
software designed to protect you from them.

Consider how the whole signature process works:
virus gets written and released
Someone ID's it and possibly contracts it
Virus is submitted to an A/V company
An analysis is performed and a signature is generated
Signature is packaged for release
Updated sigs are downloaded and applied to A/V software

Couple of major flaws here. First, this only works with publicly
released viruses. Over the last few years we've started to see the best
viruses writers keeping their code close and selling their services to
penetrate a network and extract specific information (if you don't know
how to hire these people you are hanging out in the wrong IRC channels).
No public release means you are not going to have a sig to detect it.
You might not even know it happened. Heck, it took the Israel & UK
governments about three years to figure it out when it happened to them.

Also, consider the time its going to take to go through the rest of the
steps. A fast spreading virus could easily own a few hundred thousand
(or more) systems before the A/V software is up to snuff to provide
protection. So because its primarily signature based, its a self
defeating system. The only ones really making out in the whole thing is
the A/V vendors who get to see the signatures as a subscription service.
Till we can beat all the bugs out of host based intrusion protection,
this is going to continue to be a problem.

> and even those who have admitted they 
> need help enough to buy additional software aren't really protected from 
> all the vectors.

Agreed. A while back I made the comment "as an industry we've tried to
make security seem easier than it actually is. We want to make it like
driving a car when its more like flying an airplane." IMHO it has not 
become any easier since then.

> For you, I'd say pay a few bucks more a month, get a static IP and run 
> your servers.

Again, this should not be about price. It should be about the SLA. An
ISP that wants to charge you $10K a month but has an SLA stating they
will block ports is well within their rights. Further, an ISP charging
$5 a month but has no provision in their SLA should leave the port
blocking to the people who know what needs to get through and what does
not, namely their customers.

>  I'd expect the restrictions on low-end customers would be 
> a matter of contract (get this level of service, pay this each month). 
> I'd also expect the minimal filtering we are talking about -- preventing 
> botnets among the low-end customers from having unlimited ability to 
> spam the rest of us, for example -- to be beneficial for the most people.

I actually owned a security management ISP that was based around this
business model. I dealt with business level only connections and
provided port and content level filtering both inbound and outbound. As
a customer, you were not allowed to bring up an SMTP server (well you
could try, but it would not be able to talk to anyone ;-) until we
certified it as safe. All this was clearly stated in the SLA and a tech
and a sales person would review the SLA and its implications with each
client before signing a contract. I only charged a bit more than the
typical ISP and had no problem getting people to sign up. I would expect
a similar model would work just as well today if anyone has aspirations
of starting their own business. ;-)


More information about the list mailing list