What if it doesn't affect the ISP? (was Re: What do you want your ISP to block today?)

• Previous message (by thread): What if it doesn't affect the ISP? (was Re: What do you want your ISP to block today?)
• Next message (by thread): What do you want your ISP to block today?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On zaterdag, aug 30, 2003, at 20:54 Europe/Amsterdam, Sean Donelan 
wrote:

>> Only if it impacts the ISP, which it doesn't most of the time unless
>> they buy an unfortunate brand of dial-up concentrators.

> Bits are bits, very few of them actually impact the ISP itself. Most
> ISPs protect their own infrastructure. Routers are very good at
> forwarding bits.  Routers have problems filtering bits. Whether it is
> spam, viruses or other attacks; its mostly customers or end-users that
> bear the brunt of the impact, not the ISP.

Impact can be more than ISP equipment getting into trouble. It can also 
be congestion or excessive bandwidth use because of incoming abusive 
traffic, or infected customers.

> The recurring theme is: I don't want my ISP to block anything I do, but
> ISPs should block other people from doing things I don't think they
> should do.

Actually this doesn't have to be the paradox it seems to be. If we can 
find a way to make sure at the source that the destination welcomes the 
communication, we can have both.

> So how long is reasonable for an ISP to give a customer to fix an
> infected computer; when you have cases like Slammer where it takes only
> a few minutes to infect the entire Internet?  Do you wait 72 hours?
> or until the next business day? or block the traffic immediately?

> Or some major ISPs seem to have the practice of letting the infected
> computers continuing attacking as long as it doesn't hurt their
> network.

Let's first look at the reverse situation: infective traffic comes in. 
Customers may take the position that it is in their best interest that 
their ISP filters this traffic forever, so that they can't get 
infected, regardless of whether they patch their systems or not. But it 
isn't realistic to expect ISPs to do this.

First of all, because in many cases, the vulnerability is in a service 
that also has legitimate uses. In some cases this isn't much of a 
problem: for instance, with the slammer worm blocking the affected port 
didn't really impact the SQL service. Or with filtering blaster, 
windows file sharing doesn't work anymore but this isn't a public 
service so the people who need it can run it over a secure tunnel of 
some kind. However, shutting down port 80 because an HTTP 
implementation has a vulnerability wouldn't be acceptable because of 
the collateral damage.

Then there  are the issues of ISPs being able to do this effectively in 
the first place, and effectiveness. If ISPs were to filter everything 
forever everywhere, maybe this would be effective, but nearly all 
equipment takes a performance hit when it has to filter, and this 
usually gets worse as the filters get bigger, and there are limits to 
the length of filters. On top of that, there is the management issue: 
with 100k ADSL customers, you need to apply filters to 100k interfaces 
on hundreds of boxes. So in reality ISPs can only have a limited number 
of filter rules in a limited number of places. While this gets rid of 
most of the infective traffic for as long as the filter is in place, 
this doesn't really protect customers, as when one customer is 
infected, the infection can still spread to other customers (most worms 
are optimized for this) unless the ISP has put filters on all customer 
ports. And we've seen that worms are often carried from location to 
location in infected laptops.

And then, when the filter rules have to go (for instance because there 
is a new worm du jour) experience shows there is still some infecting 
traffic, however long after the initial outbreak, so at some point a 
vulnerable system WILL be infected.

Last but not least: if ISPs filter X worms, and then worm X+1 presents 
itself which proves unfilterable, things get really bad because users 
were depending on ISP action to prevent infection, rather than take 
their own measures. This could even lead to legal problems for ISPs.

Bottom line: unless ISPs explicitly want to take on this responsibility 
and invest in heavier equipment and very advanced network management, 
the best they can do is take the edge off by implementing some 
filtering that allows their users a little more time to patch their 
systems.

Then there is the other side of the coin: infected customers. I mostly 
work for content hosters these days, and there the situation is 
slightly different from the one that access ISPs are facing, as the 
number of customers is much smaller and the bandwidth they have is much 
larger. So one customer can do much more damage by either causing 
congestion in the local network or by driving up the bandwidth use on 
external connections (which is expensive because of the usual 95th 
percentile billing). There have been several cases the past year where 
my customers shut down ports of infected customers of theirs (sometimes 
lowering the port speed to 10 Mbps is a good compromise). But since 
this leads to many phone calls, I can imagine that doing this for every 
infected customer may be a problem for ISPs with many dial/ADSL/cable 
customers. Also, if the bandwidth use isn't too excessive, it may not 
always be apparent that a customer is infected.

• Previous message (by thread): What if it doesn't affect the ISP? (was Re: What do you want your ISP to block today?)
• Next message (by thread): What do you want your ISP to block today?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]