[Dshield] Possible solution for ISP (was DShield's public goals)

Cefiar cef at optus.net
Wed Jan 11 23:56:11 GMT 2006

On Thursday 12 January 2006 07:40, Laura Vance wrote:
> David Cary Hart wrote:
> >A compromise is provided by closing the ports by default and opening
> >them upon request. I suspect that most of the compromised machine owners
> >wouldn't know the difference between port 25 and Interstate I95. The
> > simple proviso is that, if your machine is exploited, you lose the open
> > port.
> But the compromise you suggest still puts most of the work on the ISP.
> Having to track a NAT with port forwarding/blocking on a per-user basis
> for tens of thousands of users (possibly hundreds or millions) is
> something that is not necessary.

Part of the problem with any system is the administrative overhead. When you 
give absolute granular control (blocking/unblocking specific ports) on 
connections, this adds a tremendous administrative overhead for the ISP, and 
also adds a huge processing overhead as well (as each connection could/will 
have different ports blocked).

This was part of why I suggested having a few groups of filtering options, and 
just assigning users into these groups when they are allocated an IP address. 
This reduces the administrative overhead, and cuts down on the processing 
overhead too.

I'm not 100% sure, but by giving the granular port blocking control for every 
connection as compared to assigning connections to fixed blocking groups, 
you're taking the problem from an N^M problem space into an N*M problem 
space. Here I'm using N for the number of users, and M for the 
administrative/processing overhead. Anything with exponential overhead is 
really bad, whereas a multiplative overhead is manageable, and easy to work 
out the end cost "per user" to the ISP.

And that's the crux of the problem for any ISP based filtering solution in my 
opinion. It's not wether there is an overhead for the ISP, but wether that 
overhead is manageable in the short and long term on not just an 
administrative basis, but also on a cost basis. It's no use offering this if 
suddenly a higher number of users using the system brings a huge load to the 
ISP's setup and impacts the ISP's ability to provide a service to all users. 
To rectify the problem by adding more hardware in a fixed amount (eg: 1 
filtering system per 1000 user <-- just for demo, not in any way an accurate 
figure) can easily be budgeted, tracked and accomodated for, whereas anything 
that has an exponential growth will eventually get to a point of diminshing 
returns, where it's not worth persuing anymore.

> My suggested solution is when the customer calls in for new service, the
> ISP looks them up in the database, and if they are marked as "bad" or
> "incompliant" or whatever negative term is decided, they don't get
> service until they are certified to be clean/responsible/educated/etc.
> That way they don't have to have someone managing inbound ip/port
> forwarding through a NAT all day for the customers that want or need
> it.  The hobbyists would be the ones that suffer in any NAT-based
> solution, because I doubt any ISP would do ingress IP/port tunnelling
> just because some of their customers know how to properly run a server.
> They would be more likely to apply the NAT and let everyone rot
> inside.... and they still wouldn't be helping clean any of the infected
> machines on their private network.  My suggestion would actually enforce
> cleaning machines and educating users instead of burying our heads in
> the sand hoping the problem will go away.
> Protecting uneducated users from themselves is an admirable goal, but
> the alternative that I've given is as simple as turning off their
> service when they are in violation.  Then the user, not the ISP, is
> responsible for taking care of their problems and proving that the
> problems are resolved.  This is how life is in almost all aspects except
> the Internet.  I agree with the fishing license analogy... why should
> users be allowed on the Internet without a license?  This system could
> be used as a licensing system for those that have been found in violation.
> The general concensus seems to be that ISPs are either lazy, uneducated,
> or don't care.  My solution takes the effort away from the ISP.  All
> they have to do for new customers is check the database to see if
> they're flagged as bad.  And for existing customers that are reported to
> them, turn off their service completely and refer them to an outside
> company for certification.  If a customer is marked as bad, they have to
> have a certificate (or license) to change the bad rating to a certified
> (licensed) rating.  Everyone is assumed to be ok until they are flagged
> or reported.  It's a simple system that doesn't require the ISP to do
> any firewall/nat/proxy programming at all... just use their current
> billing system (or however they do it already) to block the violators
> account.

Actually, to cover this sort of thing, you could amend my original proposal 
(in another email) and add a 4th option:

4. Infected/Compromised. Block pretty much everything except access to a set 
of tools and their update mechanisms, etc. This will allow the user to get 
updates and fixes installed, disinfect their machine, clean it up, etc.

This gives you the ISP black-holing mechanism you've suggested, gives the end 
user a chance to get things taken care of (by themselves or with an external 
companies help), while protecting them from the world, and the world from 

 Stuart Young - aka Cefiar - cef at optus.net

More information about the list mailing list