[Dshield] Possible solution for ISP (was DShield's public goals)
vancel at winfreeacademy.com
Tue Jan 17 17:39:23 GMT 2006
Valdis.Kletnieks at vt.edu wrote:
>Exactly the point. Not only do they not have to start blocking, they literally
>*can't* start blocking. As a result, you have a very *large* dis-incentive to
>Profit margins in the ISP arena are razor thin - it's quite possible for an ISP
>to lose money on a customer that generates *one* help desk call per year. As a
>1) Yours is not the only scheme looking for deployment - and they can't afford
>to deploy all of them. There simply isn't enough money to go around. So,
>given 5 proposals, and only enough resources for 2 - which 2 do you support?
>Keep in mind that the 3 you don't support may end up stillborn - and the 2 you
>decided to support may *also* not work if your competitor decides to support 2
>others instead. All the ISPs have to *agree* on which 2 of 5 to support -
>*before* you have any actual deployment experience with any of the 5.
This idea isn't looking for deployment, it's an idea that I came up with
after reading and replying to a post that was proposing blocking *all*
users from full Internet connections under the premise that no home user
needs a full Internet connection. I just came up with the idea, I'm not
trying to market it to ISPs. Honestly, I was putting the idea out there
in hopes that it would get cultivated beyond my intial thoughts to a
point where someone might talk to the ISPs and propose it.
The thing is, this idea could be free. If someone hosted the
computer(s) that would run the system, there is no other monetary cost
to the ISP. It's simply a web site that the sales department checks
before they sign up a new customer. It could be done at the same time
they check the credit score of the customer... maybe even before to save
the ISP some money on the credit check if the client is on the bad list
at the moment.
>2) A good trick to pull on your competitors is to announce you'll also support
>their pet proposal, and after they deploy, announce you're not going to,
>causing them to expend resources. You're betting your business plan on your
>competitor's announcements that aren't under your control - never conducive to
It would be easy enough to check to see if your competitor had signed
up, because the list of participating ISPs could be generated in
real-time. It could show how many entries (good or bad) have been made
by any given ISP without showing the individuals who have been added.
Once data is collected, reports are easy to generate.
>3) It may come as a shock, but there are rogue ISPs out there, which will *say*
>they're participating, but in fact don't bother to. You remember Comcast's big
>"We will block port 25" PR-fest a while ago? How's that working out? Well, we
>can check SenderBase:
>"showing 1-50 of 49705". Yow. Lots of magnitude 5 and 6 entries. For
>comparison, listserv.vt.edu has been generating a relatively minor 30K emails
>per day off-campus per day of late, and only gets a magnitude 4.4. So *each*
>of those top 50 is pushing a quarter million e-mails per day and more.
>(Question - why are only 17 of the top 50 their official outbound mail servers,
>and why are they not the top 17? ;)
Probably because that involves reprogramming possibly hundreds of
routers... these man-hours could be avoided. The disconnection (if that
was determined to be what was used) could be done via the billing
system. ISPs can easily flip a switch in the software when you don't
pay your bill. That actually brings up another idea that I'm sure ISPs
would love. If an infected customer were warned once or twice that they
were infected, given the chance to vindicate themselves, but if they
didn't, the ISP could charge per KByte transferred outbound. Yes, I
know this could be taken advantage of by the ISP if they decide to claim
everyone is infected, but again... it's an idea... it could be fine
tuned to limit to only those that were infected, or discarded
altogether... this is what brainstorming is supposed to be.
>4) You fail to address what to do about address space that lies outside the US,
>or that is allocated to entities outside the US but has BGP announcements
>sourced inside the US. Do you block them, or allow them? Discuss the
>challenges of dealing with (3) when the offender is on another continent.
If they can get on the web, they would be able to participate too. If
the system were free, then it wouldn't be a cost issue. If they don't
participate and the policy is to block, then you block them. Why would
it make a difference that they are outside of the US? Commerce is
important, and when the solution to the problem is free (or ultra low
cost), the benefit is 100%. And when I say ultra-low cost, I'm talking
about only enough to cover the machines (hardware) and the connection.
>5) There's also a very real possibility that unless your scheme has some sort
>of legislative backing, that a participating ISP could get sued into bankruptcy
>by a non-participating competitor ISP for restraint-of-trade issues.
How would this be any different than Earthlink blocking all inbound port
25 from NetZero's user IP space? A block is a block. As I mentioned,
another option for the block is a partial block. Allow the
non-participating ISP users to access the ISP web sites of the
participating ISP, just don't allow them to connect into the user IP
space. They could still surf the web and browse to all sites, just not
those hosted on the home-user IP range. I just realized why people
think this portion is a bad idea. I didn't make my self clear on what I
had in mind. It would basically be exactly as the other people have
suggested for firewall blocking all home IP space, but instead of
blocking everyone, it would only block inbound from non-participating
ISPs. The block is no different than what everyone seems to think is a
good idea, it doesn't keep *all* bad ISP users from *all* IPs on the
good ISP, it only keeps them from the home account IP space. All of the
users on the non-participating ISP would still be able to browse all the
business web sites on the entire Internet as they do now. Just direct
inbound connections to home-space would be blocked.
>>The basic idea is very flexible, but it seems that all you are trying to
>>do is dismiss it or shoot it down with statements that have already been
>>addressed. If you spent the same effort helping to cultivate the idea
>>it would become a better system that could have ISPs jumping onboard.
>Simply repeating "ISPs dont' have to do this till they've all deployed it"
>because it's your mantra doesn't mean you're actually addressing the real
>problem, which is that you're asking some 3,000 ISPs to agree to deploy
>something that's untested, cannot be tested until their competitors also deploy
>it, and which they get no benefit from until it's fully deployed, and you're
>not making an actual *business case* for the ISP to shell out all these
>up-front resources, when the ISP would much rather put resources into projects
>that have either immediate or incremental gain, so they see benefits right off
They do get a benefit before it's fully deployed, because another part
of the idea is that they no longer have to provide tech support for
non-connection issues. Customers won't call them for virus infections
any more.. and if they do, they will be directed to one of the
authorized companies that specifically deal with these issues. ISPs
would only have to handle an issue when the DSL modem doesn't work or
the user doesn't have their network settings configured correctly.
Those happen much more infrequently than all of the other calls. ISPs
already outsource most of their tech support anyway, so why not just
drop responsibility for the user's machine health completely? There is
nothing more frustrating to me when I call my ISP with a connection
issue and they start trying to troubleshoot my computer. I never call
them for computer support, and most people call their computer seller
(Dell, Compaq) when they have a computer problem. Plus, ISPs already
defer a lot of problems to the computer manufacturer anyway. This would
be one more thing they don't have to have the staff to handle.
>As Fergie pointed out, getting enough ISPs to deploy this will be difficult,
>given that even no-brainers like BCP38 (which *does* have immediate and
>incremental benefits for the ISP when they deploy, whether or not their
>competitors do as well) are only deployed by some 75% of the address space.
>In fact, the fact that the MIT Spoofer project is having trouble even getting
>an accurate *estimate* of how many places deploy BCP38 should be a big warning
>sign. See http://momo.lcs.mit.edu/spoofer/ for details....
>And as Fergie will attest, if you're thinking that *I* am being negative on
>your idea, you're in for a very rude awakening if/when you try to sell your
>idea on the IETF and NANOG lists (if you don't understand why you'll be on
>those lists to sell your idea, you're in over your head).
I'm not trying to "sell" my idea. I didn't post it here to get all of
the negativity that I've gotten. I posted it to spark an idea in
someone that would be willing to take it farther, not have all of the
pessimists give me every reason that it won't work. The thing that so
many people don't seem to understand is that you don't know if something
will work until you try it. I've spent my entire adult working life
doing things that people say is impossible for whatever reason. There's
a saying that I don't remember where I read it, but it basically says
that the people saying that something can't be done should get out of
the way of those doing it. I was taught that when you come up with a
reason that something is wrong, you should also come up with a
suggestion to correct it. There have been a few that have done this,
and I appreciate their input, because there are a lot of things that I
don't know... who knows, maybe one of them will take the idea and run
with it. And contrary to what anyone may think, I don't really care if
anyone knows where this version of the idea started.
And here's the thing... I'm not attached to this idea other than trying
to get people to see that most of the objections are based on other
models that may be similar, but they are still different. In the
business world, what makes one product fail and another one that's 99%
the same sell like crazy? We don't know if one idea will or will not
work until we try, and I'm not talking about the type of try where you
talk down about it to the users basically implying that you don't agree
>Vernon Schryver got so tired of hearing modifications on the same exact anti-spam
>ideas by people who didn't realize that maybe the idea had been already thought
>of, examined, and discarded as unworkable multiple times, that he wrote this:
>(For bonus points - why did Vernon put the "critical thinker" entry on there?)
Has this idea been brought up before? I know that what I've seen here
and other places have had similar ideas, but they all involve blocking
everyone from user-space of every other ISP. The NAT solution, blocking
all inbound ports via firewall, and many other solutions involve
punishing everyone because so many people are clueless. Of course I can
see problems with the implementation, but that was why I originally
posted it here... to get input... to get people to brainstorm. Does
this list actually share ideas about security any more or does everyone
just focus on shooting down unfinished ideas? I didn't post it here as
a business proposal, just as a thought provoker.
Winfree Academy Charter Schools
More information about the list