[Dshield] Possible solution for ISP (was DShield's public goals)

Anonymous Squirrel anonymous.squirrel at gmail.com
Tue Jan 17 17:11:12 GMT 2006


On 1/17/06, Johannes B. Ullrich <jullrich at sans.org> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: RIPEMD160
>
> > 1) Does the ISP blacklist the entire connection, even if the problem
> > computer is no longer at the residence?
>
> The entire connection is blacklisted. Once the customer fixes the
> problem (e.g. by sending the kids back to school), the connection is
> opened up again.


And this opens up a can of worms.  Apparenlty rhe connection is reopened
solely on the customer's assertion that the problem fixed.  Most customer's
won't know what the problem happens to be, and won't care to pay someone to
find out.  But they can figure out that if they say the problem is fixed,
the connection is reopened. So, the ISP detects a problem yet again, cuts
off the connection again, the customer gets frustrated, and the problem
grows from a security problem into a customer service problem.  Perhaps the
ISP has a franchise granted by a governmental entity.  Then the problem can
also become political -- if enough customers *think* l they are wrongly
blacklisted.

>
> > 2) Do *all* computers at that connection have to be checked by a
> certified
> > checker (e.g. Geeks on Call)?  How does the ISP know how many should be
> > cleaned?  If one is cleaned, are all deemed cleaned?  (for bonus points,
> > after a residential user pays to have several computers checked, and all
> are
> > found to be clean, how long does the ISP keep the customer?)
>
> If the customer runs the NAT gateway, then it is up to them to figure
> out.


That works so long as the customer is motivated and capable of figuring it
out (or is willing to pay $$$).  Few are.  Of course, nothing in the system
keeps the problem from festing and growing.  See #1 above.

>
> > 4) How does the resident shield confidential information from the
> checkers?
> > Think carefully before answering this one.  Anyone on this list llikely
> > could shield it without any problems, but the average user probably
> could
> > not.
> >
>
> There are no 'checkers'. The ISP will not send anybody out. On the other
> hand, at that point the confidential information will likely already be
> posted. The ISP may do a vulnerability scan. But it is very unusual for
> anything confidential getting revealed during a simple port scan (or
> even vulnerability scan like nessus).
>
> I was referring to those customer who must obtain assistance from someone
knowledgeable, perhaps someone operating at a storefront or from a newspaper
ad.  The customer doesn't know how to protect the data on the box.  And the
data may not have been compromised -- yet.  By forcing the customer to look
for help, could the proposal increase identity theft?


More information about the list mailing list