Home page logo

nanog logo nanog mailing list archives

Re: Quarantine your infected users spreading malware
From: "Jason Frisvold" <xenophage0 () gmail com>
Date: Tue, 21 Feb 2006 11:54:00 -0500

On 2/21/06, Bill Nash <billn () odyssey billn net> wrote:
Big deal. You're talking about volume licensing at that point, and
offering vendors an opportunity to compete to get on every desktop in your
customer base. That's a big stick to negotiate with, especially if you're
an Earthlink or AOL.

Agreed.  And with that, the little guys go away.

Yeah, the privacy zealots, of which I'm one, don't have much of a leg to
stand on, since as the direct service provider, you'd be directly within
AUP/Contractually provided rights to do so, under that particular service
model. They can't ding you for being active in your *response* to
complaints about malicious activity sourced from your network, and taking
the time to verify it. So long as you're keeping their personal
information out of the hands of others, they don't have much to bitch

Agreed, but without publishing the exact procedures, protocols, etc,
they can always complain that something might be happening..  Don't
get me wrong, I'm just as much for privacy as most of the "zealots",
but there is a point at which there has to be an acceptable risk.

The ISPs win because they've got ready means to tie complaints directly
back to an active customer, AND verify the complaint. Consumers win
because they've got cheap anti-virus they still don't have to do anything
about. The internet wins because ISPs are sharing non-personally
identifying information about naughty behaviour and maybe increasing the
mean TTL for new Windows machines. In the long term, privacy advocates win
because networks have implemented active responses to attacks that
routinely lead to identity theft.

I wish everyone had this view.  Fixing, or at least patching, this
problem would help out a lot in the long run.  But there's a lot to be
done to handle it.  An ISP can deal with it themselves or, more often
than not, can ignore it.  As I was saying before, if there were some
sort of standards body that set forth a best practices guide of some
sort, that might go a long way.  Education for the end-user is key
here too.  Educate them to understand what precautions are in place at
the ISP level, and what they can do to protect themselves.  I think
it's gotten better in recent years, despite the increase in viral
activity.  I think the increase is due to better propogation
techniques rather then hordes of dumb users.

The biggest hole I see in this concept is home routers that do NAT
(linksys, linux boxes, etc). While capable of PPPOE, you can't quite
mandate the A/V clients. You still have the option of doing packet
inspection, which is still better than nothing.

Hrm..  Unless some sort of shim was required on the end-user
computer..  something transparent that merely identified itself in the
background to the central authority and verified signatures and the

- billn

Jason 'XenoPhage' Frisvold
XenoPhage0 () gmail com

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]