[Dshield] Possible solution for ISP (was DShield's public goals)

Ed Truitt ed.truitt at etee2k.net
Fri Jan 13 10:26:32 GMT 2006

And what do you use as the criteria for determing the validity of a report?  For example, we know that the DShield database is an excellent source on who is 'attacking' others - but we also know (cuz Johannes tells us so) that it is full of 'false positives' - which he won't clear out.  Well, I can see some ISP deciding to use DShield as a way to determine 'bad users' within their IP space, along with other data sources, and the problems it would cause.

And remember, people don't get on the TSA's list for no reason (OK, maybe they do... Bad example). However, those names proibably didn't materialize out of thin air - there was a criteria used for putting them on the list, strange as it may seem.  Do you really think the ISPs would do a better job of managing a list than the folks at TSA/DHS/FBI/ whoever?

-----Original Message-----
From: Laura Vance <vancel at winfreeacademy.com>
Date: Thu, 12 Jan 2006 11:19:23 
To:General DShield Discussion List <list at lists.dshield.org>
Subject: Re: [Dshield] Possible solution for ISP (was DShield's public goals)

Ed Truitt wrote:

>This database of 'bad' users sounds a LOT like the TSA's "no fly" list -- and there is some concern about how that is working out (more than concern if you have to undergo a cavity search every time you fly, because you happen to share a name with some maybe-terrorist.). The maintainability problems of this proposed list appear to be similar - who vets the names? How does one ever get off the list?
>-E D Truitt
I mentioned these in the initial suggestion.

First concern is that this one doesn't try to pre-determine if someone 
is bad.  The TSA tries to determine evil-doers before they do evil.  
This suggestion only flags people that have already gotten infected.  
Only after either the ISP notices it, or if someone reports that user to 
the ISP.  It doesn't punish someone for what they *might* do, only for 
what they just did.

Second concern is who keeps track of it.  All ISP's would enter the 
names as they get blocked.  It's just a central computer running a 
system that ISPs simply log into to add or check names (or some other 
uniquely identifiable information).  The ISP adds names as they get 
infected/blocked, and the ISP can unflag them when they have met the 
criteria for removal.  Every ISP would have the same ability to do this, 
because the list would be available to all ISPs.  It could maybe even 
track which ISPs users have used... track user migration from ISP to ISP 
so the ISP's know what to do to attract more customers... but that's not 
the focus of this particular system.

Third concern about how do they get off the list.  If you are flagged as 
bad or blocked (however the term will be), you take your computer to an 
authorized place (or maybe even geeks on call could do it).  There would 
be specific companies that are authorized to certify that a computer has 
been cleaned and an attempt has been made to educate the owner.  The 
owner then sends this via fax (or postal service) to the ISP, or the 
company that repaired it faxes it to the ISP and viola, the user is back 

Something that would be good is if once someone has been educated, it 
goes on their record as a good mark, and then everyone will know that 
Joe Blow has passed training on how to keep his computer safe, so he may 
get preferential treatment at future ISPs... but that's getting ahead of 

Laura Vance
Systems Engineer
Winfree Academy Charter Schools

Learn about Intrusion Detection in Depth from the comfort of your own couch:

send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

-E D Truitt

Sent via my BlackBerry from Cingular Wireless

More information about the list mailing list