[Dshield] Possible solution for ISP (was DShield's public goals)

Johannes B. Ullrich jullrich at sans.org
Tue Jan 17 15:24:00 GMT 2006


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Anonymous Squirrel wrote:
> I haven't seen this typical scenario discussed: A residential connection to
> a home network, with a few "always on" computers, and a few visitors that
> appear for a few weeks and drop off the network (say college kids home for
> holidays).  A problem pops up and the residential connection.
> 
> Questions:
> 
> 1) Does the ISP blacklist the entire connection, even if the problem
> computer is no longer at the residence?

The entire connection is blacklisted. Once the customer fixes the
problem (e.g. by sending the kids back to school), the connection is
opened up again.

> 
> 2) Do *all* computers at that connection have to be checked by a certified
> checker (e.g. Geeks on Call)?  How does the ISP know how many should be
> cleaned?  If one is cleaned, are all deemed cleaned?  (for bonus points,
> after a residential user pays to have several computers checked, and all are
> found to be clean, how long does the ISP keep the customer?)

If the customer runs the NAT gateway, then it is up to them to figure
out. If the ISP provides the gateway (and has the ability to identify
individual systems behind it), then it could be up to the ISP to block
only the 'offending' one.

> 
> 3) How does the ISP's contracted checker deal with non-standard machines,
> say a custom built OS that the employees may not have a prayer of
> understanding?  Or does the ISP only allow certain machines in certain
> configurations on their network, thereby solidifying the Microsoft monopoly
> in the name of simplicity? (FWIW, Cox acts dumb when I call with a
> connection problem and tell them I don't have a "Start" button.  They refuse
> to provide any support unless I boot into Windoze).

Its simple: If your computer causes problems, its cut off no matter what
the OS is. Its overall up to the owner of the system to get the problem
fixed. The ISP can only provide limited assistance. They may recommend a
for-pay service to get the problem solved, or send the customer to the
maker of the OS for support.

Its the ISPs responsibility to secure the network. Turning off service
is part of that if a customer endangers the security of the network. But
the ISP can not fix the end system. There may be some exceptions where
the ISP provides the end system (e.g. WebTV).


> 
> 4) How does the resident shield confidential information from the checkers?
> Think carefully before answering this one.  Anyone on this list llikely
> could shield it without any problems, but the average user probably could
> not.
> 

There are no 'checkers'. The ISP will not send anybody out. On the other
hand, at that point the confidential information will likely already be
posted. The ISP may do a vulnerability scan. But it is very unusual for
anything confidential getting revealed during a simple port scan (or
even vulnerability scan like nessus).

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFDzQwQPNuXYcm/v/0RAz9KAJ4qbbHb6RhwQz7crAu3qgVaUO/E7ACfZ0je
7dCpqc2NSXhrn55TrAad2MM=
=UiHF
-----END PGP SIGNATURE-----


More information about the list mailing list