[Dshield] Possible solution for ISP (was DShield's public goals)

Laura Vance vancel at winfreeacademy.com
Mon Jan 9 18:19:54 GMT 2006

Jon R. Kibler wrote:

>M Cook wrote:
>>But you see, the more residential dynamic IP addresses are blocked, the
>>fewer options the spammers have left, which I think is a Good Thing. 
>Another Good Thing ISPs could do is to assign all residential/dynamic IP customers IPs in private address space and NAT their Internet connections. This could GREATLY cut down on the spread of worms (which I am defining as malware that propagates via network connections) because they would be limited to propagating on the ISP's private network and outside public address space. 
>I have no idea the real number, but say the U.S. has 50 million residential users on the Internet using globally routable IPs. If we were to make all of those systems use private address space, that would be about 50 million less hosts that could be infected by a worm hopping from system to system. Granted, this would force malware propagation tactics to change, but it removes one more tool from the bad guy's arsenal. From an ISP's prospective, this would also be a Good Thing in that it would eliminate users running rogue servers, such as P2P, chat, etc.
>Again, my $0.02.
>Jon Kibler

The term "rogue servers" cannot refer to any program that a user 
knowingly runs if its primary purpose is not malicious.  IRC was 
designed to be a research tool to be a multi-user "talk" type of 
system.  Just because users today are corrupting the use of some systems 
doesn't mean the entire port/protocol should be dropped.  Someone else 
in this thread used cars as an example, so I will take it a step 
farther.  Dropping a valid port/protocol because a few bad people use it 
for intentionally malicious purposes would be like forbidding car 
manufacturers from selling cars, because a few people ran their car into 
a school bus on purpose.  The solution has to be to block holes in 
software that allow malicious software into a system.  Then it comes 
down to programmers using proper memory management in their design (not 
using memory pointers without checking/chopping input length, etc).

Any port can be used for malicious purposes.  I've seen viruses use port 
80 for their outbound connections, because that's the most likely port 
to be open in a firewall.  I'm waiting for a virus that's smart enough 
to use a proxy, because where will we be then?

The only solution until the OS holes are fixed is to monitor activity 
and wipe machines when they get infected.  Our users know that if their 
machine is infected, it will be completely wiped and restored to a 
"like-new" state.

One of the times that a virus was downloaded to computers on our 
network, it infected computers that were considered to be trusted for 
direct outbound connections (senior people's machines).  We had a Friday 
off when those machines started spewing forth their garbage across the 
Internet.  One of the targets contacted our upstream provider and 
contacted us directly.  On the following Monday morning when I arrived, 
I read the two emails and smiled, because now our executives would have 
to let me seal all outbound access under the threat of our Internet 
connection being terminated.  Like most executives they do not 
understand security, and they do not want to allow me to do anything 
that might interrupt their access to the Internet, so despite the 
obvious badness, it was good.  All direct outbound being blocked is a 
good scenario for corporate LAN/WAN access, but not necessarily for 
home-user access.

To Everyone,

We all seem to agree that the individuals that are clueless should be 
the ones removed from the networks, so here is something that I would 
propose.  Have a national/international database similar to the credit 
reporting system, but this one would simply be for users that have been 
removed from an ISP.  When you sign up for Internet service, the person 
on the phone simply logs in to the database and checks the individual by 
name/address/or some sort of unique identifier (ssn, dl#, etc).  If the 
person is flagged in the system as infected or not caring or whatever, 
then they are not allowed an account.  The ISP does a credit check most 
of the time anyway, so this would be a pretty simple matter.  To 
encourage use, it could be free or close to free just to cover hardware 
and its connection.  So, if this were in place, here would be the 
possible scenario:

1) all users have full access to the Internet for whatever they want to do.
2) user X gets infected and starts spewing garbage across the Internet.
3) ISP for user X is notified and sends an email stating that if the 
user does not correct the problem in N days, their connection will be 
terminated and they will be added to the database.
4a) user fixes problem and submits to a test by whoever (could be a 
company that does this for profit and charges the end user, not the 
ISP... Best Buy, Comp USA, new companies, etc.), and whoever tested the 
system sends notification to the ISP.   All is well in the land.
4b) user ignores email, ISP adds their name to the database and 
terminates their connection.
4b1) They get upset and try to go to another ISP that checks the 
database and denies the account until they are certified clean as in 
step 4a.
4b2) or: They go to an ISP that does not participate in the database, 
but all of the ISPs that do participate block all access from ISPs that 
do not participate, so they have no access to anything on the Internet 
anyway.  They are forced to go to an ISP that does participate and have 
to clean their computer.

This would be very simple and would not take much effort on the part of 
the ISP since they would not have to check/inspect the end user for 
compliance.  The ISP/ISP blocks would only be feasible if the major 
providers were on-board, and it would take some time for this to be 
implemented, just because it would take time to get all ISPs on board 
and then start closing non-compliant accounts.  However, it would not be 
difficult at all, so the learning curve is small.  This would eliminate 
the need for downloadable software (as has been mentioned before), and 
it would eliminate the need for the ISP to understand all OS's.

Of course there would be resistance, but since only infected users would 
be targeted, everyone that keeps on top of their systems would be 
allowed more access than we have now.  Sort of a reward for knowing what 
you're doing.  And the ISP's don't really have to do anything other than 
cut off those users that are infected.  And again, the ultimate goal 
would be for all of the "good/major" providers to band together and they 
would block all the ISP's that actively or passively support 
virus/worm/etc writers.

Just some thoughts.

Laura Vance
Systems Engineer
Winfree Academy Charter Schools

More information about the list mailing list