[Dshield] Possible solution for ISP (was DShield's public goals)

Cefiar cef at optus.net
Tue Jan 10 08:48:12 GMT 2006


On Tuesday 10 January 2006 10:43, Jon R. Kibler wrote:
> I also think you missed my bigger point: Globally routable IPs are required
> for someone on the Internet to directly route traffic to a system. If every
> system that was not a server had an IP in private address space, then it
> would much for difficult for someone to create arbitrary connections to
> that system from anywhere in the world. That was my primary point -- take
> away from the bad guys the ability to create easy connections to
> compromised systems.

The problem with using NAT at an ISP level is:
 1. You spend a lot of processing power re-writing the packets.
 2. You spend a fair amount of processing power and a fair amount of ram 
tracking connections (related protocol connections).

Note that you don't have to do #1 to do #2 (eg: in Linux, look at conntrack in 
iptables), and this cuts down the processing power required immensely.

I personally think that ISP's should allow the account owner to choose their 
level of protection:
 1. Equivalent to NAT: No inbound unless related to outbound. No outbound on 
certain ports with some exceptions to specified servers in ISP-space (eg: 
SMTP/port 25 only to ISP's SMTP server, no SMB/137->139+445, etc). This 
should be the default.
 2. Restricted outbound (eg: SMTP/port 25 only to ISP's SMTP server, no 
SMB/137->139+445, etc.), with some inbound blocks (mostly the same as 
outbound except where it would cause issues).
 3. Unrestricted. Nothing blocked. Onus on user. Comes with disclaimer that 
the account holder is responsible for any problems they get, any excess costs 
through excessive data usage, etc.

At an ISP level, it's just a matter of assigning the client from a different 
IP pool for each group of users (wether via a radius backend with user 
verification for ADSL/dialup, or via MAC address/Node information for 
Cable/Fibre). Each IP pool will get filtered differently, and therefore each 
end user will get the level of filtering they ask for. Also, as the setup 
doesn't contain a lot of rules, it's easy to deploy these closer to the 
customer in large numbers (eg: supporting a fixed number of users) to avoid 
huge load issues on a few central systems bringing everything to a crashing 
end.

If you build this into the management framework that you give the account 
holder (most ISP's have some way of looking at what plan they are on, or 
their billing status anyway), then the account holder can change the settings 
as they wish. Sure the user will get a different IP when they change their 
filtering type, but that's hardly a huge price to pay. Most people will 
either live with the default, or choose one of the more advanced options. 
Option #2 should be more than enough for most gamers and the bittorrent 
junkies, whereas #3 suits those who are running their own mail/web servers, 
with the fully acknowledged risks this carries.

Sure, you'll get people just opening their service up straight away, but most 
of the population will just live with the default restricted setup and not 
change. And that's a good thing.

-- 
 Stuart Young - aka Cefiar - cef at optus.net


More information about the list mailing list