[Dshield] Possible solution for ISP (was DShield's public goals)
vancel at winfreeacademy.com
Fri Jan 13 16:24:08 GMT 2006
Ed Truitt wrote:
>And what do you use as the criteria for determing the validity of a report? For example, we know that the DShield database is an excellent source on who is 'attacking' others - but we also know (cuz Johannes tells us so) that it is full of 'false positives' - which he won't clear out. Well, I can see some ISP deciding to use DShield as a way to determine 'bad users' within their IP space, along with other data sources, and the problems it would cause.
>And remember, people don't get on the TSA's list for no reason (OK, maybe they do... Bad example). However, those names proibably didn't materialize out of thin air - there was a criteria used for putting them on the list, strange as it may seem. Do you really think the ISPs would do a better job of managing a list than the folks at TSA/DHS/FBI/ whoever?
The prime difference is that the TSA tries to determine it *before* an
incident. This would only be determined *after* an incident has been
found. Lives are not on the line here, so finding someone after the
fact is not a big deal. Look at how many machines are infected and
spewing garbage across the Internet right now... and have been for
months or years without stopping. Catching someone after the fact is
easier than trying to figure out who could be bad in the future... which
is where the TSA/DHS/FBI have their unique challenge that will not (and
does not need to) be repeated with this system.
Tom's respons is a good point too, and I want to add a little more to
it. How does Cisco program their self-defending routers/firewalls? I
don't know how accurate they are, but I'm guessing that since they are
part of the ad campaign, that it's fairly safe to say that they are
accurate enough to use. If the ISP purchased these routers, all they
would have to do is let the Cisco software tell them who is infected.
There is always the possibility of a false-positive, but usually port
scans and hitting hundreds (or thousands) of different IP's within a
matter of seconds is a good indication that something is wrong. Even on
gnutella (limewire, bearshare, etc), they only have X number of
simultaneous connections that could be manually set to be well within
the limit determined by the ISP.
Winfree Academy Charter Schools
More information about the list