[Dshield] Possible solution for ISP (was DShield's public goals)

Laura Vance vancel at winfreeacademy.com
Fri Jan 13 16:24:08 GMT 2006

Ed Truitt wrote:

>And what do you use as the criteria for determing the validity of a report?  For example, we know that the DShield database is an excellent source on who is 'attacking' others - but we also know (cuz Johannes tells us so) that it is full of 'false positives' - which he won't clear out.  Well, I can see some ISP deciding to use DShield as a way to determine 'bad users' within their IP space, along with other data sources, and the problems it would cause.
>And remember, people don't get on the TSA's list for no reason (OK, maybe they do... Bad example). However, those names proibably didn't materialize out of thin air - there was a criteria used for putting them on the list, strange as it may seem.  Do you really think the ISPs would do a better job of managing a list than the folks at TSA/DHS/FBI/ whoever?
The prime difference is that the TSA tries to determine it *before* an 
incident.  This would only be determined *after* an incident has been 
found.  Lives are not on the line here, so finding someone after the 
fact is not a big deal.  Look at how many machines are infected and 
spewing garbage across the Internet right now... and have been for 
months or years without stopping.  Catching someone after the fact is 
easier than trying to figure out who could be bad in the future... which 
is where the TSA/DHS/FBI have their unique challenge that will not (and 
does not need to) be repeated with this system.

Tom's respons is a good point too, and I want to add a little more to 
it.  How does Cisco program their self-defending routers/firewalls?  I 
don't know how accurate they are, but I'm guessing that since they are 
part of the ad campaign, that it's fairly safe to say that they are 
accurate enough to use.  If the ISP purchased these routers, all they 
would have to do is let the Cisco software tell them who is infected.  
There is always the possibility of a false-positive, but usually port 
scans and hitting hundreds (or thousands) of different IP's within a 
matter of seconds is a good indication that something is wrong.  Even on 
gnutella (limewire, bearshare, etc), they only have X number of 
simultaneous connections that could be manually set to be well within 
the limit determined by the ISP.

Laura Vance
Systems Engineer
Winfree Academy Charter Schools

More information about the list mailing list