[Dshield] Possible solution for ISP (was DShield's public goals)

Laura Vance vancel at winfreeacademy.com
Tue Jan 17 17:39:23 GMT 2006


Valdis.Kletnieks at vt.edu wrote:

>Exactly the point.  Not only do they not have to start blocking, they literally
>*can't* start blocking. As a result, you have a very *large* dis-incentive to
>deploy.
>
>Profit margins in the ISP arena are razor thin - it's quite possible for an ISP
>to lose money on a customer that generates *one* help desk call per year.  As a
>result, 
>
>1) Yours is not the only scheme looking for deployment - and they can't afford
>to deploy all of them.  There simply isn't enough money to go around.  So,
>given 5 proposals, and only enough resources for 2 - which 2 do you support?
>Keep in mind that the 3 you don't support may end up stillborn - and the 2 you
>decided to support may *also* not work if your competitor decides to support 2
>others instead.  All the ISPs have to *agree* on which 2 of 5 to support -
>*before* you have any actual deployment experience with any of the 5.
>
This idea isn't looking for deployment, it's an idea that I came up with 
after reading and replying to a post that was proposing blocking *all* 
users from full Internet connections under the premise that no home user 
needs a full Internet connection.  I just came up with the idea, I'm not 
trying to market it to ISPs.  Honestly, I was putting the idea out there 
in hopes that it would get cultivated beyond my intial thoughts to a 
point where someone might talk to the ISPs and propose it. 

The thing is, this idea could be free.  If someone hosted the 
computer(s) that would run the system, there is no other monetary cost 
to the ISP.  It's simply a web site that the sales department checks 
before they sign up a new customer.  It could be done at the same time 
they check the credit score of the customer... maybe even before to save 
the ISP some money on the credit check if the client is on the bad list 
at the moment.

>
>2) A good trick to pull on your competitors is to announce you'll also support
>their pet proposal, and after they deploy, announce you're not going to,
>causing them to expend resources.  You're betting your business plan on your
>competitor's announcements that aren't under your control - never conducive to
>peaceful sleep.
>
It would be easy enough to check to see if your competitor had signed 
up, because the list of participating ISPs could be generated in 
real-time.  It could show how many entries (good or bad) have been made 
by any given ISP without showing the individuals who have been added.  
Once data is collected, reports are easy to generate.

>
>3) It may come as a shock, but there are rogue ISPs out there, which will *say*
>they're participating, but in fact don't bother to. You remember Comcast's big
>"We will block port 25" PR-fest a while ago?  How's that working out?  Well, we
>can check SenderBase:
>
>http://www.senderbase.org/search?searchString=comcast.net
>
>"showing 1-50 of 49705".  Yow. Lots of magnitude 5 and 6 entries. For
>comparison, listserv.vt.edu has been generating a relatively minor 30K emails
>per day off-campus per day of late, and only gets a magnitude 4.4.  So *each*
>of those top 50 is pushing a quarter million e-mails per day and more.
>(Question - why are only 17 of the top 50 their official outbound mail servers,
>and why are they not the top 17? ;)
>
Probably because that involves reprogramming possibly hundreds of 
routers... these man-hours could be avoided.  The disconnection (if that 
was determined to be what was used) could be done via the billing 
system.  ISPs can easily flip a switch in the software when you don't 
pay your bill.  That actually brings up another idea that I'm sure ISPs 
would love.  If an infected customer were warned once or twice that they 
were infected, given the chance to vindicate themselves, but if they 
didn't, the ISP could charge per KByte transferred outbound.  Yes, I 
know this could be taken advantage of by the ISP if they decide to claim 
everyone is infected, but again... it's an idea... it could be fine 
tuned to limit to only those that were infected, or discarded 
altogether... this is what brainstorming is supposed to be.

>
>4) You fail to address what to do about address space that lies outside the US,
>or that is allocated to entities outside the US but has BGP announcements
>sourced inside the US.  Do you block them, or allow them? Discuss the
>challenges of dealing with (3) when the offender is on another continent.
>
If they can get on the web, they would be able to participate too.  If 
the system were free, then it wouldn't be a cost issue.  If they don't 
participate and the policy is to block, then you block them.  Why would 
it make a difference that they are outside of the US?  Commerce is 
important, and when the solution to the problem is free (or ultra low 
cost), the benefit is 100%.  And when I say ultra-low cost, I'm talking 
about only enough to cover the machines (hardware) and the connection.

>
>5) There's also a very real possibility that unless your scheme has some sort
>of legislative backing, that a participating ISP could get sued into bankruptcy
>by a non-participating competitor ISP for restraint-of-trade issues.
>
>
How would this be any different than Earthlink blocking all inbound port 
25 from NetZero's user IP space?  A block is a block.  As I mentioned, 
another option for the block is a partial block.  Allow the 
non-participating ISP users to access the ISP web sites of the 
participating ISP, just don't allow them to connect into the user IP 
space.  They could still surf the web and browse to all sites, just not 
those hosted on the home-user IP range.  I just realized why people 
think this portion is a bad idea.  I didn't make my self clear on what I 
had in mind.  It would basically be exactly as the other people have 
suggested for firewall blocking all home IP space, but instead of 
blocking everyone, it would only block inbound from non-participating 
ISPs.  The block is no different than what everyone seems to think is a 
good idea, it doesn't keep *all* bad ISP users from *all* IPs on the 
good ISP, it only keeps them from the home account IP space.  All of the 
users on the non-participating ISP would still be able to browse all the 
business web sites on the entire Internet as they do now.  Just direct 
inbound connections to home-space would be blocked.
                   

>>The basic idea is very flexible, but it seems that all you are trying to 
>>do is dismiss it or shoot it down with statements that have already been 
>>addressed.  If you spent the same effort helping to cultivate the idea 
>>it would become a better system that could have ISPs jumping onboard.
>>
>
>Simply repeating "ISPs dont' have to do this till they've all deployed it"
>because it's your mantra doesn't mean you're actually addressing the real
>problem, which is that you're asking some 3,000 ISPs to agree to deploy
>something that's untested, cannot be tested until their competitors also deploy
>it, and which they get no benefit from until it's fully deployed, and you're
>not making an actual *business case* for the ISP to shell out all these
>up-front resources, when the ISP would much rather put resources into projects
>that have either immediate or incremental gain, so they see benefits right off
>the bat.
>
They do get a benefit before it's fully deployed, because another part 
of the idea is that they no longer have to provide tech support for 
non-connection issues.  Customers won't call them for virus infections 
any more.. and if they do, they will be directed to one of the 
authorized companies that specifically deal with these issues.  ISPs 
would only have to handle an issue when the DSL modem doesn't work or 
the user doesn't have their network settings configured correctly.  
Those happen much more infrequently than all of the other calls.  ISPs 
already outsource most of their tech support anyway, so why not just 
drop responsibility for the user's machine health completely?  There is 
nothing more frustrating to me when I call my ISP with a connection 
issue and they start trying to troubleshoot my computer.  I never call 
them for computer support, and most people call their computer seller 
(Dell, Compaq) when they have a computer problem.  Plus, ISPs already 
defer a lot of problems to the computer manufacturer anyway.  This would 
be one more thing they don't have to have the staff to handle.

>
>As Fergie pointed out, getting enough ISPs to deploy this will be difficult,
>given that even no-brainers like BCP38 (which *does* have immediate and
>incremental benefits for the ISP when they deploy, whether or not their
>competitors do as well) are only deployed by some 75% of the address space.
>
>In fact, the fact that the MIT Spoofer project is having trouble even getting
>an accurate *estimate* of how many places deploy BCP38 should be a big warning
>sign. See http://momo.lcs.mit.edu/spoofer/ for details....
>
>And as Fergie will attest, if you're thinking that *I* am being negative on
>your idea, you're in for a very rude awakening if/when you try to sell your
>idea on the IETF and NANOG lists (if you don't understand why you'll be on
>those lists to sell your idea, you're in over your head).  
>
I'm not trying to "sell" my idea.  I didn't post it here to get all of 
the negativity that I've gotten.  I posted it to spark an idea in 
someone that would be willing to take it farther, not have all of the 
pessimists give me every reason that it won't work.  The thing that so 
many people don't seem to understand is that you don't know if something 
will work until you try it.  I've spent my entire adult working life 
doing things that people say is impossible for whatever reason.  There's 
a saying that I don't remember where I read it, but it basically says 
that the people saying that something can't be done should get out of 
the way of those doing it.  I was taught that when you come up with a 
reason that something is wrong, you should also come up with a 
suggestion to correct it.  There have been a few that have done this, 
and I appreciate their input, because there are a lot of things that I 
don't know... who knows, maybe one of them will take the idea and run 
with it.  And contrary to what anyone may think, I don't really care if 
anyone knows where this version of the idea started.

And here's the thing... I'm not attached to this idea other than trying 
to get people to see that most of the objections are based on other 
models that may be similar, but they are still different.  In the 
business world, what makes one product fail and another one that's 99% 
the same sell like crazy?  We don't know if one idea will or will not 
work until we try, and I'm not talking about the type of try where you 
talk down about it to the users basically implying that you don't agree 
with it.

>
>Vernon Schryver got so tired of hearing modifications on the same exact anti-spam
>ideas by people who didn't realize that maybe the idea had been already thought
>of, examined, and discarded as unworkable multiple times, that he wrote this:
>
>http://www.rhyolite.com/anti-spam/you-might-be.html
>
>(For bonus points - why did Vernon put the "critical thinker" entry on there?)
>
>
Has this idea been brought up before?  I know that what I've seen here 
and other places have had similar ideas, but they all involve blocking 
everyone from user-space of every other ISP.  The NAT solution, blocking 
all inbound ports via firewall, and many other solutions involve 
punishing everyone because so many people are clueless.  Of course I can 
see problems with the implementation, but that was why I originally 
posted it here... to get input... to get people to brainstorm.  Does 
this list actually share ideas about security any more or does everyone 
just focus on shooting down unfinished ideas?  I didn't post it here as 
a business proposal, just as a thought provoker.

-- 
Thanks,
Laura Vance
Systems Engineer
Winfree Academy Charter Schools




More information about the list mailing list