[Dshield] Possible solution for ISP (was DShield's public goals)

Cefiar cef at optus.net
Sat Jan 14 01:21:58 GMT 2006


On Saturday 14 January 2006 03:08, Laura Vance wrote:
> The ISPs don't have to start blocking until a majority of ISPs are
> onboard with the system.  The rest of the system would be fine, and they
> wouldn't even have to kick the user off if Cefiar's suggestion was used
> about limiting the infected machine to only run utilities to repair it
> before their link is opened back up fully.  It would also serve as a
> notification that the user is infected... and, most importantly, it
> could be mostly automated.

As an addendum to this: If the ISP then adds transparent proxying to the mix 
(even if only for the infected users), then when the user is infected, the 
ISP could redirect all web queries destined to systems outside of the ISP's 
control to a fixed webpage telling the user that they are infected, what with 
(if known), what tools are available to fix/manage the problem, who can help 
them fix it (eg: 3rd party companies) if they aren't compentent enough, etc.

> The basic idea is very flexible, but it seems that all you are trying to
> do is dismiss it or shoot it down with statements that have already been
> addressed.  If you spent the same effort helping to cultivate the idea
> it would become a better system that could have ISPs jumping onboard.

I'm happy with the idea if it's implemented right, and in a way that an ISP 
can easily manage. Part of the idea with my previous suggestion of having the 
user moved to a designated IP range based on their status (NAT equivalent, 
some blocked ports, open, infected) allows easy segregation at any router 
along the way using null routing or firewalling (as appropriate). The ISP 
themselves can simply say "this address space is not to route outside of X" 
and drop the packets (as necessary) with little or no intervention. By 
advertising that a specific range of IP addresses belongs to a specific type 
of user (wether through a list like yours, or other means) then other ISP's 
can decide wether they want to drop the packets from that ISP at various 
places (eg: don't allow the "NAT equivalent" group to connect to end-users 
who also are in a "NAT equvalent" group).

If the ISP chooses a bad policy for handling this (eg: dropping packets from 
ISP X's "open" group), then it'll be on the ISP's head, and I'm sure that 
users at that ISP will let the ISP know how bad their decision is, most 
likely by leaving.

-- 
 Stuart Young - aka Cefiar - cef at optus.net


More information about the list mailing list