[Dshield] Possible solution for ISP (was DShield's public goals)

Valdis.Kletnieks@vt.edu Valdis.Kletnieks at vt.edu
Wed Jan 18 00:45:34 GMT 2006

On Tue, 17 Jan 2006 11:39:23 CST, Laura Vance said:

> The thing is, this idea could be free.  If someone hosted the 
> computer(s) that would run the system, there is no other monetary cost 
> to the ISP.  It's simply a web site that the sales department checks 
> before they sign up a new customer.  It could be done at the same time 
> they check the credit score of the customer... maybe even before to save 
> the ISP some money on the credit check if the client is on the bad list 
> at the moment.

It can be free, as long as Somebody Else pays for it.

We have a cat, we have a bell - the solution is left as an exercise for the student ;)

> It would be easy enough to check to see if your competitor had signed 
> up, because the list of participating ISPs could be generated in 
> real-time.

No.  I'm talking *pre-deployment*.  You're NetZero.  EarthLink says "We're
investing $10M to deploy this, and we'll go live next July".  You then reply
"OK, We'll pony up *our* $10M to deploy, and we'll go live next August".

Come June, you've spent $8M, and Earthlink says "Neener neener! Fooled you,
we didn't do anything about deploying. HAND."

> Probably because that involves reprogramming possibly hundreds of 
> routers... these man-hours could be avoided.  The disconnection (if that 
> was determined to be what was used) could be done via the billing 
> system.  ISPs can easily flip a switch in the software when you don't 
> pay your bill. 

So you're expecting the same Comcast that has no trouble finding users and
turning them off when they don't pay, and that should have *no* trouble
identifying their top 400 problem accounts (match Senderbase to TACACS/DHCP
logs and you're done) and turning them off, to do the *extra* work involved
in deploying your scheme, when they don't already do what they could easily do?

Why should they start carrying their trash to the curb and tipping the
garbageman besides, when they aren't carrying the trash to the curb now?

> If they can get on the web, they would be able to participate too.  If 
> the system were free, then it wouldn't be a cost issue.  If they don't 
> participate and the policy is to block, then you block them.  Why would 
> it make a difference that they are outside of the US? 

Go ahead. Block all of China.  That will be nice, fast, cheap - and whether
you get it to stick will depend how many of your customers still have family
over there...

Collateral Damage.  What happens to your bottom line when all the customers
that can't get where they want move to an ISP that *will* let them?

> >5) There's also a very real possibility that unless your scheme has some sort
> >of legislative backing, that a participating ISP could get sued into bankruptcy
> >by a non-participating competitor ISP for restraint-of-trade issues.

> How would this be any different than Earthlink blocking all inbound port 
> 25 from NetZero's user IP space?

Paging Paul Vixie.. Paging Paul Vixie... ask Paul next time you see him just
how much in legal fees the MAPS project ran up, defending itself against
lawsuits from spammers, *and MAPS never actually blocked anybody*....

"In a not-surprising turn of events, LazyISP sued the top 10 ISPs for
anti-trust restraint-of-trade violations today, based on their refusal to
deliver packets from LazyISP unless they joined in a 'non-mandatory' club..."

Go take a look at the legal activity when Level3 depeered XO - and that
was *one* ISP telling another "We won't accept packets *directly*, you'll
have to send them the long way around".

> They do get a benefit before it's fully deployed, because another part 
> of the idea is that they no longer have to provide tech support for 
> non-connection issues.

No, they don't.  They can't use the "nuclear option" (block all packets from
a non-participating ISP) until 97 or 98% of the ISPs are participating...

> pessimists give me every reason that it won't work.  The thing that so 
> many people don't seem to understand is that you don't know if something 
> will work until you try it.  I've spent my entire adult working life 
> doing things that people say is impossible for whatever reason.

"Maybe, just *maybe*, I can be the one who can have dinner with Jeffrey Dahlmer
safely, even though the *last* 23 people ended up *being* dinner..."

If people are saying "BTDTGTTTOTTS"(*), it's usually a good idea to look
at exactly *why*, and make sure your proposal deals with the previous attempt's
failure in a *realistic* manner.

For instance, any proposal that assumes all 3,000 ISPs in the US will participate
willingly and honestly is doomed to failure.  In fact, even one that requires them
all to follow the *law* is suspect - there's too many known cases where ISP's will
break the laws when it suits them...

> >Vernon Schryver got so tired of hearing modifications on the same exact anti-spam
> >ideas by people who didn't realize that maybe the idea had been already thought
> >of, examined, and discarded as unworkable multiple times, that he wrote this:
> >
> >http://www.rhyolite.com/anti-spam/you-might-be.html
> >
> >(For bonus points - why did Vernon put the "critical thinker" entry on there?)

> Has this idea been brought up before?

Yes, multiple times.

Vern put "critical thinker" in there because it's generally considered an
important part of protocol design - if you haven't already thought of and
fixed the first dozen or so fatal issues, you haven't studied the problem
enough.  Bruce Schneier mentions a similar concept in his book "Applied
Cryptography", where he notes that *anybody* can design a crypto system that
they aren't able to break.  It takes genius to create one that nobody *else*
can break either.

And rest assured that the malware authors *will* be thinking of ways to make
an end run around this sort of system...

(*) BTDTGTTOTTS - Been There, Done That, Got Tire Tracks On The T-Shirt....
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/list/attachments/20060117/718a0698/attachment.bin

More information about the list mailing list