[Dshield] Possible solution for ISP (was DShield's public goals)

Johannes B. Ullrich jullrich at sans.org
Tue Jan 17 17:35:05 GMT 2006

Hash: RIPEMD160

Anonymous Squirrel wrote:
> On 1/17/06, Johannes B. Ullrich <jullrich at sans.org> wrote:
>> Hash: RIPEMD160
>>> 1) Does the ISP blacklist the entire connection, even if the problem
>>> computer is no longer at the residence?
>> The entire connection is blacklisted. Once the customer fixes the
>> problem (e.g. by sending the kids back to school), the connection is
>> opened up again.
> And this opens up a can of worms.  Apparenlty rhe connection is reopened
> solely on the customer's assertion that the problem fixed.  Most customer's
> won't know what the problem happens to be, and won't care to pay someone to
> find out.  But they can figure out that if they say the problem is fixed,
> the connection is reopened. So, the ISP detects a problem yet again, cuts
> off the connection again, the customer gets frustrated, and the problem
> grows from a security problem into a customer service problem.  Perhaps the
> ISP has a franchise granted by a governmental entity.  Then the problem can
> also become political -- if enough customers *think* l they are wrongly
> blacklisted.

Most ISPs already have some kind of "three strikes and you are out"
rule. If you have repeated issues, you are cut off for good.

>>> 2) Do *all* computers at that connection have to be checked by a
>> certified
>>> checker (e.g. Geeks on Call)?  How does the ISP know how many should be
>>> cleaned?  If one is cleaned, are all deemed cleaned?  (for bonus points,
>>> after a residential user pays to have several computers checked, and all
>> are
>>> found to be clean, how long does the ISP keep the customer?)
>> If the customer runs the NAT gateway, then it is up to them to figure
>> out.
> That works so long as the customer is motivated and capable of figuring it
> out (or is willing to pay $$$).  Few are.  Of course, nothing in the system
> keeps the problem from festing and growing.  See #1 above.

Most users manage to stay "within bounds". If they have issues, things
like the limited service (NAT + Firewall) will keep them reasonably
clean or limit damage to the network.

>>> 4) How does the resident shield confidential information from the
>> checkers?
>>> Think carefully before answering this one.  Anyone on this list llikely
>>> could shield it without any problems, but the average user probably
>> could
>>> not.
>> There are no 'checkers'. The ISP will not send anybody out. On the other
>> hand, at that point the confidential information will likely already be
>> posted. The ISP may do a vulnerability scan. But it is very unusual for
>> anything confidential getting revealed during a simple port scan (or
>> even vulnerability scan like nessus).
>> I was referring to those customer who must obtain assistance from someone
> knowledgeable, perhaps someone operating at a storefront or from a newspaper
> ad.  The customer doesn't know how to protect the data on the box.  And the
> data may not have been compromised -- yet.  By forcing the customer to look
> for help, could the proposal increase identity theft?

The reason for them needing help is that there data is compromissed in
the first place.

> _________________________________________
> Learn about Intrusion Detection in Depth from the comfort of your own couch:
> https://www.sans.org/athome/details.php?id=1341&d=1
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

- --
- ---------
Johannes Ullrich                        jullrich at sans.org
Chief Research Officer                     (617) 639 5000
PGP Key: https://secure.dshield.org/PGPKEYS

"We use [isc.sans.org] every day to keep on top of
 security at our bank" Matt, Network Administrator.

Version: GnuPG v1.4.1 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the list mailing list