[Dshield] Possible solution for ISP (was DShield's public goals)
cef at optus.net
Tue Jan 10 08:48:12 GMT 2006
On Tuesday 10 January 2006 10:43, Jon R. Kibler wrote:
> I also think you missed my bigger point: Globally routable IPs are required
> for someone on the Internet to directly route traffic to a system. If every
> system that was not a server had an IP in private address space, then it
> would much for difficult for someone to create arbitrary connections to
> that system from anywhere in the world. That was my primary point -- take
> away from the bad guys the ability to create easy connections to
> compromised systems.
The problem with using NAT at an ISP level is:
1. You spend a lot of processing power re-writing the packets.
2. You spend a fair amount of processing power and a fair amount of ram
tracking connections (related protocol connections).
Note that you don't have to do #1 to do #2 (eg: in Linux, look at conntrack in
iptables), and this cuts down the processing power required immensely.
I personally think that ISP's should allow the account owner to choose their
level of protection:
1. Equivalent to NAT: No inbound unless related to outbound. No outbound on
certain ports with some exceptions to specified servers in ISP-space (eg:
SMTP/port 25 only to ISP's SMTP server, no SMB/137->139+445, etc). This
should be the default.
2. Restricted outbound (eg: SMTP/port 25 only to ISP's SMTP server, no
SMB/137->139+445, etc.), with some inbound blocks (mostly the same as
outbound except where it would cause issues).
3. Unrestricted. Nothing blocked. Onus on user. Comes with disclaimer that
the account holder is responsible for any problems they get, any excess costs
through excessive data usage, etc.
At an ISP level, it's just a matter of assigning the client from a different
IP pool for each group of users (wether via a radius backend with user
verification for ADSL/dialup, or via MAC address/Node information for
Cable/Fibre). Each IP pool will get filtered differently, and therefore each
end user will get the level of filtering they ask for. Also, as the setup
doesn't contain a lot of rules, it's easy to deploy these closer to the
customer in large numbers (eg: supporting a fixed number of users) to avoid
huge load issues on a few central systems bringing everything to a crashing
If you build this into the management framework that you give the account
holder (most ISP's have some way of looking at what plan they are on, or
their billing status anyway), then the account holder can change the settings
as they wish. Sure the user will get a different IP when they change their
filtering type, but that's hardly a huge price to pay. Most people will
either live with the default, or choose one of the more advanced options.
Option #2 should be more than enough for most gamers and the bittorrent
junkies, whereas #3 suits those who are running their own mail/web servers,
with the fully acknowledged risks this carries.
Sure, you'll get people just opening their service up straight away, but most
of the population will just live with the default restricted setup and not
change. And that's a good thing.
Stuart Young - aka Cefiar - cef at optus.net
More information about the list