Dutch ISPs to collaborate and take responsibility for botted clients
leigh.porter at ukbroadband.com
Mon Oct 5 14:45:33 UTC 2009
Justin Shore wrote:
> Gadi Evron wrote:
>> Apparently, marketing departments like the idea of being able to send
>> customers that need to pay them to a walled garden. It also saves on
>> tech support costs. Security being the main winner isn't the main
>> supporter of the idea at some places.
> I would love to do this both for non-pays and security incidents. I'd
> like to do something similar to let customers update their
> provisioning information for static IP changes so cable source verify
> doesn't freak out. Unfortunately I haven't been able to find any open
> source tools to do this. I can't even think of commercial ones off
> the top of my head.
> It's a relatively simple concept. Some measure of integration into
> the DHCP provisioning system(s) would be needed to properly route the
> customer's traffic to the walled garden and only to the walled garden.
> Once the problem is resolved the walled garden fixes the DHCP so the
> customer can once again pull a public IP and possibly flushes ARP
> caches if your access medium makes that a problem to be dealt with.
> I would think that the walled garden portion could be handled
> well-enough with Squid and some custom web programming to perform
> tasks to reverse the provisioning issues. I'm sure people have
> written internal solutions for SPs before but I haven't found anyone
> that has made that into an OSS project and put it on the Web. I'd
> love to make this a project but there is little financial gain to my
> small SP so if it costs much money it won't get management support.
There is all sorts of kit that will do this for you, Ellacoya, Redback
etc. They all have APIs and all work well. The customer keeps their
public IP address, but you can then make it belong to another virtual
router instance, or you can apply certain firewall/ACL/policy rules to it.
For example, my Ellacoyas will, for a walled customer, deny traffic to
anything but the walled garden hosts and will then route any port 80
traffic to my proxy server that re-directs it all to a walled garden web
server. Then soon as they hand over their payment details and we take
payment, a request is sent to the Ellacoya to remove the restrictions.
More information about the NANOG