[Dshield] Possible solution for ISP (was DShield's public goals)
vancel at winfreeacademy.com
Tue Jan 17 19:47:00 GMT 2006
Johannes B. Ullrich wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Anonymous Squirrel wrote:
>>I haven't seen this typical scenario discussed: A residential connection to
>>a home network, with a few "always on" computers, and a few visitors that
>>appear for a few weeks and drop off the network (say college kids home for
>>holidays). A problem pops up and the residential connection.
>>1) Does the ISP blacklist the entire connection, even if the problem
>>computer is no longer at the residence?
>The entire connection is blacklisted. Once the customer fixes the
>problem (e.g. by sending the kids back to school), the connection is
>opened up again.
Or it could possibly be done by MAC address... depending on if the MAC
address survives the router/NAT.
The connection opening back up again after the detected infection is
gone could also be done automatically via software similar to the Cisco
software for their "self defending networks". If that could be done,
then it would eliminate the "requirement" that the user contacts an
authorized repair facility.
>>3) How does the ISP's contracted checker deal with non-standard machines,
>>say a custom built OS that the employees may not have a prayer of
>>understanding? Or does the ISP only allow certain machines in certain
>>configurations on their network, thereby solidifying the Microsoft monopoly
>>in the name of simplicity? (FWIW, Cox acts dumb when I call with a
>>connection problem and tell them I don't have a "Start" button. They refuse
>>to provide any support unless I boot into Windoze).
>Its simple: If your computer causes problems, its cut off no matter what
>the OS is. Its overall up to the owner of the system to get the problem
>fixed. The ISP can only provide limited assistance. They may recommend a
>for-pay service to get the problem solved, or send the customer to the
>maker of the OS for support.
>Its the ISPs responsibility to secure the network. Turning off service
>is part of that if a customer endangers the security of the network. But
>the ISP can not fix the end system. There may be some exceptions where
>the ISP provides the end system (e.g. WebTV).
This is what I was thinking too. The OS doesn't matter, all that
matters is if it's infected. It's pretty easy to tell if a computer is
infected by plugging it into a network and seeing what traffic starts to
appear. It could be done in a clean-room type of environment where it's
just the suspected machine and another one to monitor the traffic. If a
machine is infected and it's trying to phone home, it will originate
something that will indicate something is wrong. If it's trying to
propogate itself, it will generate massive amounts of connection
attempts. Then, if the repair facility doesn't support your specific
OS, it becomes your task to clean it and bring it back to be tested again.
Thanks Johannes. Brainstorming is good. :)
Winfree Academy Charter Schools
More information about the list