[Dshield] Possible solution for ISP (was DShield's public goals)

Laura Vance vancel at winfreeacademy.com
Tue Jan 17 19:47:00 GMT 2006

Johannes B. Ullrich wrote:

>Hash: RIPEMD160
>Anonymous Squirrel wrote:
>>I haven't seen this typical scenario discussed: A residential connection to
>>a home network, with a few "always on" computers, and a few visitors that
>>appear for a few weeks and drop off the network (say college kids home for
>>holidays).  A problem pops up and the residential connection.
>>1) Does the ISP blacklist the entire connection, even if the problem
>>computer is no longer at the residence?
>The entire connection is blacklisted. Once the customer fixes the
>problem (e.g. by sending the kids back to school), the connection is
>opened up again.
Or it could possibly be done by MAC address... depending on if the MAC 
address survives the router/NAT.

The connection opening back up again after the detected infection is 
gone could also be done automatically via software similar to the Cisco 
software for their "self defending networks".  If that could be done, 
then it would eliminate the "requirement" that the user contacts an 
authorized repair facility.

>>3) How does the ISP's contracted checker deal with non-standard machines,
>>say a custom built OS that the employees may not have a prayer of
>>understanding?  Or does the ISP only allow certain machines in certain
>>configurations on their network, thereby solidifying the Microsoft monopoly
>>in the name of simplicity? (FWIW, Cox acts dumb when I call with a
>>connection problem and tell them I don't have a "Start" button.  They refuse
>>to provide any support unless I boot into Windoze).
>Its simple: If your computer causes problems, its cut off no matter what
>the OS is. Its overall up to the owner of the system to get the problem
>fixed. The ISP can only provide limited assistance. They may recommend a
>for-pay service to get the problem solved, or send the customer to the
>maker of the OS for support.
>Its the ISPs responsibility to secure the network. Turning off service
>is part of that if a customer endangers the security of the network. But
>the ISP can not fix the end system. There may be some exceptions where
>the ISP provides the end system (e.g. WebTV).
This is what I was thinking too.  The OS doesn't matter, all that 
matters is if it's infected.  It's pretty easy to tell if a computer is 
infected by plugging it into a network and seeing what traffic starts to 
appear.  It could be done in a clean-room type of environment where it's 
just the suspected machine and another one to monitor the traffic.  If a 
machine is infected and it's trying to phone home, it will originate 
something that will indicate something is wrong.  If it's trying to 
propogate itself, it will generate massive amounts of connection 
attempts.  Then, if the repair facility doesn't support your specific 
OS, it becomes your task to clean it and bring it back to be tested again.

Thanks Johannes.  Brainstorming is good. :)

Laura Vance
Systems Engineer
Winfree Academy Charter Schools

More information about the list mailing list