Spitballing IoT Security

Ronald F. Guilmette rfg at tristatelogic.com
Wed Oct 26 23:40:52 UTC 2016

In message <CAF-Wqd5sO0x5muw6uPDxMXd+h1ebCCtL9Ke9uMEc7k364OfHLA at mail.gmail.com>
Ken Matlock <matlockken at gmail.com> wrote:

>- End users need to have ways to easily see what's going on over their
>local networks, to see botnet-like activity and DDoS participation (among
>other things) in a more real-time fashion

This is an interesting point.

I'm not actually an ISP guy, although I do play one on TV.  Anyway,
I hope nobody will begrudge me if I make a couple of brief points,
and then ask a rather naive question.

Point:  I have a DSL line which is limited to 6Mbps down and 756Kbps up.
My guess is that if any typical/average user is seen to be using more
than, say, 1/10 of that amount of "up" bandwidth in any one given 10
minute time period, then something is really really REALLY wrong.

Point:  I am already signed up with various services which will send me
automated emails whenever certain events occur, e.g. when the price of
2TB WD Black drives falls below my personal threshold value.

Point:  My ISP knows my email address.

Question:  Could ISPs set something up so that each customer broadband
line is continuously and individually monitored, and so that an automated
email would be automagically dashed off to the customer if that customer's
"up" bandwidth in some time period exceeded a value which, for that ISP,
is deemed "reasonable"?  (I envision the hypothetical email messages in
question would consist of a non-threatening warning to the customer which
would include a link to a web page where there would be a list of common
things end-lusers should check for in such circumstances, along with
detailed and clear instructions for how to check for each, and also a
"don't ever bother me with these warnings again" checkbox, and perhaps
even a friendly slider where the end-luser could adjust his personal
warning threshold value, for the future.)

Of course, any ISP that desperately -never- wants to receive -any- end-
luser support calls quite certainly won't like this scheme.  But I'm not
sure that that fact alone would utterly disqualify the idea from being
useful in some contexts.

The real question is:  Is anything even remotely along these lines even
possible with existing commonly used ISP infrastructure?  (If not, then just
forget I mentioned it.)


P.S.  One possible big advantage to the kind of system described above is
that if an ISP received a complaint about a given customer, alleging that
the customer is running a bot, then the ISP could go and look at the
warning settings for that customer.  If that's already been set to
"don't ever bother me', then the ISP can disconnect the customer, and
when the customer inevitably saquaks about that, the ISP can respond and
say "We told you so."

More information about the NANOG mailing list