[Dshield] Possible solution for ISP (was DShield's public goals)

Laura Vance vancel at winfreeacademy.com
Tue Jan 10 15:56:19 GMT 2006

Jon R. Kibler wrote:

>I was not trying to infer that services such as chat should be banned, or anything like that. I used the term 'rogue server' because most ISPs prohibit residential accounts from running any services on their systems.
>I also think you missed my bigger point: Globally routable IPs are required for someone on the Internet to directly route traffic to a system. If every system that was not a server had an IP in private address space, then it would much for difficult for someone to create arbitrary connections to that system from anywhere in the world. That was my primary point -- take away from the bad guys the ability to create easy connections to compromised systems. 
>Now, I agree that using ingress/egress filtering and NAT will not solve all of the problems -- not by any stretch of imagination. However, if insiders are having to create outbound connections directly to some server, that becomes easier to detect and block.

The problem with the bigger point is that in order to accomplish that 
and still allow inbound traffic to those that want it, it puts a HUGE 
load on the ISP to maintain the port/ip forwarding into their private IP 
space.  Then if the ISP's refuse to do ingress NAT, it will punish those 
of us that cannot afford a static IP at home, but choose to be a 
responsible server administrator for projects outside of our jobs.  The 
only part of NAT that's simple is allowing egress to all users 
identically.  When you get into trying to give different things to 
different people behind a NAT firewall, the overhead escalates very 
rapidly for manpower alone.  Let's say that an ISP has 1 million 
subscribers, and 1% of those want to run their own server.  This means 
that somewhere in the NAT rules, the ISP has to program 10 thousand 
ingress IP forwards... or many times that if they only do individual 
port forwarding, because then they need many lines per machine that 
wants to run many services.  Not to mention that it would take a few 
steps backwards to the days when AOL, CompuServ, and all the others 
didn't have true Internet access.  AOL still uses a private network with 
proxies and firewalls to connect outside, and if you can't run their 
software, you can't get on their system (ie. Linux).

The solution that I outlined has very little overhead, and it isn't a 
HUGE change from the way it is now... it just has a provision to track 
people that don't want to be good Internet citizens (or denizens as the 
case may be.)  I still believe that the Internet should be basically 
unrestricted, because there are many of us that know how to use it properly.

A modification of my idea to incorporate some of this and what Cefiar 
said in his reply is that this database could have more than just a 
"good" and "bad" status.  It could have shades of grey such as a status 
that indicates the user is limited to #1 in Cefiar's email (which would 
incorporate NAT, but that class of service would not have any ingress 
access), and so on.  The idea can be tweaked, but I believe that the 
basic idea is solid.

Laura Vance
Systems Engineer
Winfree Academy Charter Schools

More information about the list mailing list