[Dshield] Possible solution for ISP (was DShield's public goals)
vancel at winfreeacademy.com
Tue Jan 10 15:56:19 GMT 2006
Jon R. Kibler wrote:
>I was not trying to infer that services such as chat should be banned, or anything like that. I used the term 'rogue server' because most ISPs prohibit residential accounts from running any services on their systems.
>I also think you missed my bigger point: Globally routable IPs are required for someone on the Internet to directly route traffic to a system. If every system that was not a server had an IP in private address space, then it would much for difficult for someone to create arbitrary connections to that system from anywhere in the world. That was my primary point -- take away from the bad guys the ability to create easy connections to compromised systems.
>Now, I agree that using ingress/egress filtering and NAT will not solve all of the problems -- not by any stretch of imagination. However, if insiders are having to create outbound connections directly to some server, that becomes easier to detect and block.
The problem with the bigger point is that in order to accomplish that
and still allow inbound traffic to those that want it, it puts a HUGE
load on the ISP to maintain the port/ip forwarding into their private IP
space. Then if the ISP's refuse to do ingress NAT, it will punish those
of us that cannot afford a static IP at home, but choose to be a
responsible server administrator for projects outside of our jobs. The
only part of NAT that's simple is allowing egress to all users
identically. When you get into trying to give different things to
different people behind a NAT firewall, the overhead escalates very
rapidly for manpower alone. Let's say that an ISP has 1 million
subscribers, and 1% of those want to run their own server. This means
that somewhere in the NAT rules, the ISP has to program 10 thousand
ingress IP forwards... or many times that if they only do individual
port forwarding, because then they need many lines per machine that
wants to run many services. Not to mention that it would take a few
steps backwards to the days when AOL, CompuServ, and all the others
didn't have true Internet access. AOL still uses a private network with
proxies and firewalls to connect outside, and if you can't run their
software, you can't get on their system (ie. Linux).
The solution that I outlined has very little overhead, and it isn't a
HUGE change from the way it is now... it just has a provision to track
people that don't want to be good Internet citizens (or denizens as the
case may be.) I still believe that the Internet should be basically
unrestricted, because there are many of us that know how to use it properly.
A modification of my idea to incorporate some of this and what Cefiar
said in his reply is that this database could have more than just a
"good" and "bad" status. It could have shades of grey such as a status
that indicates the user is limited to #1 in Cefiar's email (which would
incorporate NAT, but that class of service would not have any ingress
access), and so on. The idea can be tweaked, but I believe that the
basic idea is solid.
Winfree Academy Charter Schools
More information about the list