[Dshield] Possible solution for ISP (was DShield's public goals)
Johannes B. Ullrich
jullrich at sans.org
Tue Jan 17 17:35:05 GMT 2006
-----BEGIN PGP SIGNED MESSAGE-----
Anonymous Squirrel wrote:
> On 1/17/06, Johannes B. Ullrich <jullrich at sans.org> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: RIPEMD160
>>> 1) Does the ISP blacklist the entire connection, even if the problem
>>> computer is no longer at the residence?
>> The entire connection is blacklisted. Once the customer fixes the
>> problem (e.g. by sending the kids back to school), the connection is
>> opened up again.
> And this opens up a can of worms. Apparenlty rhe connection is reopened
> solely on the customer's assertion that the problem fixed. Most customer's
> won't know what the problem happens to be, and won't care to pay someone to
> find out. But they can figure out that if they say the problem is fixed,
> the connection is reopened. So, the ISP detects a problem yet again, cuts
> off the connection again, the customer gets frustrated, and the problem
> grows from a security problem into a customer service problem. Perhaps the
> ISP has a franchise granted by a governmental entity. Then the problem can
> also become political -- if enough customers *think* l they are wrongly
Most ISPs already have some kind of "three strikes and you are out"
rule. If you have repeated issues, you are cut off for good.
>>> 2) Do *all* computers at that connection have to be checked by a
>>> checker (e.g. Geeks on Call)? How does the ISP know how many should be
>>> cleaned? If one is cleaned, are all deemed cleaned? (for bonus points,
>>> after a residential user pays to have several computers checked, and all
>>> found to be clean, how long does the ISP keep the customer?)
>> If the customer runs the NAT gateway, then it is up to them to figure
> That works so long as the customer is motivated and capable of figuring it
> out (or is willing to pay $$$). Few are. Of course, nothing in the system
> keeps the problem from festing and growing. See #1 above.
Most users manage to stay "within bounds". If they have issues, things
like the limited service (NAT + Firewall) will keep them reasonably
clean or limit damage to the network.
>>> 4) How does the resident shield confidential information from the
>>> Think carefully before answering this one. Anyone on this list llikely
>>> could shield it without any problems, but the average user probably
>> There are no 'checkers'. The ISP will not send anybody out. On the other
>> hand, at that point the confidential information will likely already be
>> posted. The ISP may do a vulnerability scan. But it is very unusual for
>> anything confidential getting revealed during a simple port scan (or
>> even vulnerability scan like nessus).
>> I was referring to those customer who must obtain assistance from someone
> knowledgeable, perhaps someone operating at a storefront or from a newspaper
> ad. The customer doesn't know how to protect the data on the box. And the
> data may not have been compromised -- yet. By forcing the customer to look
> for help, could the proposal increase identity theft?
The reason for them needing help is that there data is compromissed in
the first place.
> Learn about Intrusion Detection in Depth from the comfort of your own couch:
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
Johannes Ullrich jullrich at sans.org
Chief Research Officer (617) 639 5000
PGP Key: https://secure.dshield.org/PGPKEYS
"We use [isc.sans.org] every day to keep on top of
security at our bank" Matt, Network Administrator.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the list