[Dshield] Possible solution for ISP (was DShield's public goals)

Laura Vance vancel at winfreeacademy.com
Wed Jan 11 22:53:29 GMT 2006

Valdis.Kletnieks at vt.edu wrote:

>On Mon, 09 Jan 2006 12:19:54 CST, Laura Vance said:
>>4a) user fixes problem and submits to a test by whoever (could be a 
>>company that does this for profit and charges the end user, not the 
>>ISP... Best Buy, Comp USA, new companies, etc.), and whoever tested the 
>>system sends notification to the ISP.   All is well in the land.
>>4b) user ignores email, ISP adds their name to the database and 
>>terminates their connection.
>A non-starter.  You come home from vacation to find your machine was hacked.
>*AND* that you can't get on the net to download the patch.
>If the user is cut off, how *exactly* does he fix the problem?
When you take your computer into Comp USA, you physically take your 
computer there and have them do their thing.  Shutting them off fixes 
the problem, because now they are forced to deal with the problem 
instead of just being ok with a slower computer that is horribly infected.

>>4b2) or: They go to an ISP that does not participate in the database, 
>>but all of the ISPs that do participate block all access from ISPs that 
>>do not participate, so they have no access to anything on the Internet 
>Getting the participating ISPs to *cut off* connections with non-participating
>ones is not going to fly.  NetZero won't cut off EarthLink, no matter how bad
>it is, because NetZero doesn't want their phone to ring off the hook about why
>their users can't get to EarthLink anymore.  If the phone rings, it costs them
>money.  It costs them even *more* money if they become ex-NetZero users.
>Go back to early October, and see what happened when Level3 (AS3356) tried
>to depeer XO (AS 2828).
I'm not talking about the good ISP shutting of their customers from 
accessing hosts on the bad ISP or even sending email to the bad ISP.  
I'm talking about the good ISP blocking all inbound traffic from the bad 
ISP.  In your scenario, NetZero is the good ISP that wants to do this 
plan.  Their customers can browse any site hosted on the Earthlink 
webspace.  NetZero customers can also send emails to any IP on the 
entire EarthLink IP space.  Since EarthLink is a non-participant in the 
system, NetZero blocks all inbound traffic from their customer-space.  
NetZero would still accept inbound email from the EarthLink mail server, 
and they would allow inbound web traffic from the EarthLink proxy (if 
one exists), and so on for different services.  NetZero would *only* 
block *all* inbound traffic from user-space at EarthLink.

Then when EarthLink started participating, then NetZero would remove the 
blocks.  Make the system free or almost free (nominal fee to cover 
hardware and Internet connection for remote use) so it doesn't effect 
the ISP bottom line and they will practically have no reason to *not* 
use it.
1) helps control virus spreading.
2) educates users.
3) low (or no) cost.
4) ISP doesn't have to repair the user machines or educate their users, 
so no extra responsibility or expenses.

1) an extra step to look up the user when assigning a new account.
2) possible loss of customers (this will only happen if too few ISPs 
adopt the system).

As I said, the idea could be tweaked, but the basic idea is a manageable 
solution.  The worst part is the initial implementation... getting 
enough ISPs to sign on to the system to make it effective would be the 
ultimate challenge.  Call it leveraging... the only question would be if 
you want to be able to deal with 75% of the Internet or 25% of it.  And 
if all ISP's signed on to the idea, then no ISP would be blocked from 
the others.  I also said that it doesn't *have* to be a block, it could 
be something else... or even until most ISPs are on board, no ISP blocks 
would happen.  There are so many ways to implement this idea that there 
is almost no reason not to seriously consider it.  Blocking was just 
something that one person came up with while brainstorming on an 
email... other possibilities that use this same model would be great too.

My main concern is that all of the other ideas that I've seen either put 
a LOT of work on the ISP (NAT/firewall upkeep for users that are allowed 
inbound connections), or they simply punish those of us that know how to 
run a tight ship along with everyone that doesn't know and doesn't care.

Laura Vance
Systems Engineer
Winfree Academy Charter Schools

More information about the list mailing list