[Dshield] Possible solution for ISP (was DShield's public goals)

Laura Vance vancel at winfreeacademy.com
Wed Jan 11 20:40:56 GMT 2006


David Cary Hart wrote:

>Without doing a thorough study, I am reasonably certain that the problems
>caused by home hobbyists running servers in residential space are statistically
>insignificant.
>
>I suspect (based upon what I have seen) that the majority of open relay and formmail problems
>can be tracked to mediocre consultants to small businesses running Windows
>servers. You need a license to catch a fish but anyone can f**k up the Internet
>- and get paid for doing it.
>
>A compromise is provided by closing the ports by default and opening
>them upon request. I suspect that most of the compromised machine owners
>wouldn't know the difference between port 25 and Interstate I95. The simple
>proviso is that, if your machine is exploited, you lose the open port.
>  
>
But the compromise you suggest still puts most of the work on the ISP.  
Having to track a NAT with port forwarding/blocking on a per-user basis 
for tens of thousands of users (possibly hundreds or millions) is 
something that is not necessary.

My suggested solution is when the customer calls in for new service, the 
ISP looks them up in the database, and if they are marked as "bad" or 
"incompliant" or whatever negative term is decided, they don't get 
service until they are certified to be clean/responsible/educated/etc.  
That way they don't have to have someone managing inbound ip/port 
forwarding through a NAT all day for the customers that want or need 
it.  The hobbyists would be the ones that suffer in any NAT-based 
solution, because I doubt any ISP would do ingress IP/port tunnelling 
just because some of their customers know how to properly run a server.  
They would be more likely to apply the NAT and let everyone rot 
inside.... and they still wouldn't be helping clean any of the infected 
machines on their private network.  My suggestion would actually enforce 
cleaning machines and educating users instead of burying our heads in 
the sand hoping the problem will go away.

Protecting uneducated users from themselves is an admirable goal, but 
the alternative that I've given is as simple as turning off their 
service when they are in violation.  Then the user, not the ISP, is 
responsible for taking care of their problems and proving that the 
problems are resolved.  This is how life is in almost all aspects except 
the Internet.  I agree with the fishing license analogy... why should 
users be allowed on the Internet without a license?  This system could 
be used as a licensing system for those that have been found in violation.

The general concensus seems to be that ISPs are either lazy, uneducated, 
or don't care.  My solution takes the effort away from the ISP.  All 
they have to do for new customers is check the database to see if 
they're flagged as bad.  And for existing customers that are reported to 
them, turn off their service completely and refer them to an outside 
company for certification.  If a customer is marked as bad, they have to 
have a certificate (or license) to change the bad rating to a certified 
(licensed) rating.  Everyone is assumed to be ok until they are flagged 
or reported.  It's a simple system that doesn't require the ISP to do 
any firewall/nat/proxy programming at all... just use their current 
billing system (or however they do it already) to block the violators 
account.


-- 
Thanks,
Laura Vance
Systems Engineer
Winfree Academy Charter Schools




More information about the list mailing list