[Dshield] My Dream ISP (was: public goals)

M Cook dshieldlists at versateam.com
Sun Jan 15 18:58:36 GMT 2006

I particularly like the way this could be automated.  The switch from 
"safe" to "firewalled" to "advanced, with port forwarding" could be done 
fairly easily at certain trigger points, including (as you mention) a 
user taking a simple test, but also spam complaints (e.g. dozens, from 
different recipients) or increased traffic with a particular 
exploitation "signature". By contract or agreement, this could be 
extended to the ISP scanning for exploits, such as open ports that 
respond in a certain way, all in an automated process.

VOIP is just one of the services a customer might legitimately expect to 
have a higher priority -- that is, to continue to work if the modem is 
put into safe mode. There are other ways a VOIP service could be very 
important to me -- maybe it supports my business, or I need to use it to 
call my physician. There could be some simple suggestions to a customer 
to say which services (if any) will stop working if the modem goes to 
safe mode and how to prevent that from happening (e.g. don't run any 
other servers, or run just the one server that is a high priority, to 
reduce the risk of getting exploited).

On the other hand, many modem/routers these days come with built in 
support for VOIP (e.g. Vonage) -- that is, the household phone system is 
plugged directly into the cable modem/router. If the VOIP is originating 
at the modem/router, it could be allowed by "safe mode" to continue 
functioning. At least that would be true if we assume the modem has been 
programmed well and the firmware can be updated as needed to keep it secure.

The question of whether or not a VOIP supports "911" emergency service 
is separate. Whether or how VOIP can support "911" service is really not 
terribly relevant to the question of how an ISP should respond when 
residential computers become zombies in some crime syndicate's botnet.

Johannes B. Ullrich wrote:

>Let me dream a bit. I don't suggest that ISPs have to do this. But I
>think it should be doable:
>First of all, the modem (DSL or Cable or whatever) should provide a
>firewall. By default, all inbound traffic should be blocked, and it
>should provide NAT.
>In order to enable ports, or turn it into a bridge, you have to pass a
>little exam. This would be web based and all automated. Sample question
>"do you have a personal firewall", "do you have anti virus" ...
>Depending on how well you do, you should be able to turn off the
>Firewall or the NAT.
>If there is an abuse report, the customer is called automatically. The
>system will require a response ("Press 1 if you have the issue fixed,
>press 2 if you want your modem turned into safe mode...)
>If a system turns out to be infected/hacked, and the customer does not
>respond (24hrs?), the modem is turned into a 'safe mode' which only
>allows access to a limited number of sites (update sites, anti virus,
>internal help sites...). Again: This happens after phone calls and emails.
>Once the customer fixed the system, they call the ISP (or visit the
>internal, still accessible web site), and requests to re-enable the
>modem. The ISP may do a quick scan of the system to check if the issue
>is fixed and turn the control of the modem over to the user.
>Of course, if this happens too much, more severe penalties may be put in
>Advantage of this system: Very little 'human interaction'. So it should
>be cheap to implement. And flexible, so everyone is happy.
>Some ISPs, (and in particular universities) are already very close to
>this with their "walled garden" setups that allow access to limited
>sites if a system is considered 'off'
>One big issue that came up only recently is VoIP, and the ability to
>call 911... But expecting reliable service for a 'live line' like 911
>access from a consumer "best effort" service level contract is a stretch
>to begin with (not a big fan of 911 requirement for VoIP myself... )

More information about the list mailing list