[Dshield] Possible solution for ISP (was DShield's public goals)
vancel at winfreeacademy.com
Mon Jan 9 18:19:54 GMT 2006
Jon R. Kibler wrote:
>M Cook wrote:
>>But you see, the more residential dynamic IP addresses are blocked, the
>>fewer options the spammers have left, which I think is a Good Thing.
>Another Good Thing ISPs could do is to assign all residential/dynamic IP customers IPs in private address space and NAT their Internet connections. This could GREATLY cut down on the spread of worms (which I am defining as malware that propagates via network connections) because they would be limited to propagating on the ISP's private network and outside public address space.
>I have no idea the real number, but say the U.S. has 50 million residential users on the Internet using globally routable IPs. If we were to make all of those systems use private address space, that would be about 50 million less hosts that could be infected by a worm hopping from system to system. Granted, this would force malware propagation tactics to change, but it removes one more tool from the bad guy's arsenal. From an ISP's prospective, this would also be a Good Thing in that it would eliminate users running rogue servers, such as P2P, chat, etc.
>Again, my $0.02.
The term "rogue servers" cannot refer to any program that a user
knowingly runs if its primary purpose is not malicious. IRC was
designed to be a research tool to be a multi-user "talk" type of
system. Just because users today are corrupting the use of some systems
doesn't mean the entire port/protocol should be dropped. Someone else
in this thread used cars as an example, so I will take it a step
farther. Dropping a valid port/protocol because a few bad people use it
for intentionally malicious purposes would be like forbidding car
manufacturers from selling cars, because a few people ran their car into
a school bus on purpose. The solution has to be to block holes in
software that allow malicious software into a system. Then it comes
down to programmers using proper memory management in their design (not
using memory pointers without checking/chopping input length, etc).
Any port can be used for malicious purposes. I've seen viruses use port
80 for their outbound connections, because that's the most likely port
to be open in a firewall. I'm waiting for a virus that's smart enough
to use a proxy, because where will we be then?
The only solution until the OS holes are fixed is to monitor activity
and wipe machines when they get infected. Our users know that if their
machine is infected, it will be completely wiped and restored to a
One of the times that a virus was downloaded to computers on our
network, it infected computers that were considered to be trusted for
direct outbound connections (senior people's machines). We had a Friday
off when those machines started spewing forth their garbage across the
Internet. One of the targets contacted our upstream provider and
contacted us directly. On the following Monday morning when I arrived,
I read the two emails and smiled, because now our executives would have
to let me seal all outbound access under the threat of our Internet
connection being terminated. Like most executives they do not
understand security, and they do not want to allow me to do anything
that might interrupt their access to the Internet, so despite the
obvious badness, it was good. All direct outbound being blocked is a
good scenario for corporate LAN/WAN access, but not necessarily for
We all seem to agree that the individuals that are clueless should be
the ones removed from the networks, so here is something that I would
propose. Have a national/international database similar to the credit
reporting system, but this one would simply be for users that have been
removed from an ISP. When you sign up for Internet service, the person
on the phone simply logs in to the database and checks the individual by
name/address/or some sort of unique identifier (ssn, dl#, etc). If the
person is flagged in the system as infected or not caring or whatever,
then they are not allowed an account. The ISP does a credit check most
of the time anyway, so this would be a pretty simple matter. To
encourage use, it could be free or close to free just to cover hardware
and its connection. So, if this were in place, here would be the
1) all users have full access to the Internet for whatever they want to do.
2) user X gets infected and starts spewing garbage across the Internet.
3) ISP for user X is notified and sends an email stating that if the
user does not correct the problem in N days, their connection will be
terminated and they will be added to the database.
4a) user fixes problem and submits to a test by whoever (could be a
company that does this for profit and charges the end user, not the
ISP... Best Buy, Comp USA, new companies, etc.), and whoever tested the
system sends notification to the ISP. All is well in the land.
4b) user ignores email, ISP adds their name to the database and
terminates their connection.
4b1) They get upset and try to go to another ISP that checks the
database and denies the account until they are certified clean as in
4b2) or: They go to an ISP that does not participate in the database,
but all of the ISPs that do participate block all access from ISPs that
do not participate, so they have no access to anything on the Internet
anyway. They are forced to go to an ISP that does participate and have
to clean their computer.
This would be very simple and would not take much effort on the part of
the ISP since they would not have to check/inspect the end user for
compliance. The ISP/ISP blocks would only be feasible if the major
providers were on-board, and it would take some time for this to be
implemented, just because it would take time to get all ISPs on board
and then start closing non-compliant accounts. However, it would not be
difficult at all, so the learning curve is small. This would eliminate
the need for downloadable software (as has been mentioned before), and
it would eliminate the need for the ISP to understand all OS's.
Of course there would be resistance, but since only infected users would
be targeted, everyone that keeps on top of their systems would be
allowed more access than we have now. Sort of a reward for knowing what
you're doing. And the ISP's don't really have to do anything other than
cut off those users that are infected. And again, the ultimate goal
would be for all of the "good/major" providers to band together and they
would block all the ISP's that actively or passively support
Just some thoughts.
Winfree Academy Charter Schools
More information about the list