[Dshield] Possible solution for ISP (was DShield's public goals)
vancel at winfreeacademy.com
Wed Jan 11 20:40:56 GMT 2006
David Cary Hart wrote:
>Without doing a thorough study, I am reasonably certain that the problems
>caused by home hobbyists running servers in residential space are statistically
>I suspect (based upon what I have seen) that the majority of open relay and formmail problems
>can be tracked to mediocre consultants to small businesses running Windows
>servers. You need a license to catch a fish but anyone can f**k up the Internet
>- and get paid for doing it.
>A compromise is provided by closing the ports by default and opening
>them upon request. I suspect that most of the compromised machine owners
>wouldn't know the difference between port 25 and Interstate I95. The simple
>proviso is that, if your machine is exploited, you lose the open port.
But the compromise you suggest still puts most of the work on the ISP.
Having to track a NAT with port forwarding/blocking on a per-user basis
for tens of thousands of users (possibly hundreds or millions) is
something that is not necessary.
My suggested solution is when the customer calls in for new service, the
ISP looks them up in the database, and if they are marked as "bad" or
"incompliant" or whatever negative term is decided, they don't get
service until they are certified to be clean/responsible/educated/etc.
That way they don't have to have someone managing inbound ip/port
forwarding through a NAT all day for the customers that want or need
it. The hobbyists would be the ones that suffer in any NAT-based
solution, because I doubt any ISP would do ingress IP/port tunnelling
just because some of their customers know how to properly run a server.
They would be more likely to apply the NAT and let everyone rot
inside.... and they still wouldn't be helping clean any of the infected
machines on their private network. My suggestion would actually enforce
cleaning machines and educating users instead of burying our heads in
the sand hoping the problem will go away.
Protecting uneducated users from themselves is an admirable goal, but
the alternative that I've given is as simple as turning off their
service when they are in violation. Then the user, not the ISP, is
responsible for taking care of their problems and proving that the
problems are resolved. This is how life is in almost all aspects except
the Internet. I agree with the fishing license analogy... why should
users be allowed on the Internet without a license? This system could
be used as a licensing system for those that have been found in violation.
The general concensus seems to be that ISPs are either lazy, uneducated,
or don't care. My solution takes the effort away from the ISP. All
they have to do for new customers is check the database to see if
they're flagged as bad. And for existing customers that are reported to
them, turn off their service completely and refer them to an outside
company for certification. If a customer is marked as bad, they have to
have a certificate (or license) to change the bad rating to a certified
(licensed) rating. Everyone is assumed to be ok until they are flagged
or reported. It's a simple system that doesn't require the ISP to do
any firewall/nat/proxy programming at all... just use their current
billing system (or however they do it already) to block the violators
Winfree Academy Charter Schools
More information about the list