Spitballing IoT Security

Mark Andrews marka at isc.org
Wed Oct 26 23:56:24 UTC 2016


In message <12301.1477525252 at segfault.tristatelogic.com>, "Ronald F. Guilmette"
 writes:
> 
> In message <CAF-Wqd5sO0x5muw6uPDxMXd+h1ebCCtL9Ke9uMEc7k364OfHLA at mail.gmail.co
> m>
> Ken Matlock <matlockken at gmail.com> wrote:
> 
> >- End users need to have ways to easily see what's going on over their
> >local networks, to see botnet-like activity and DDoS participation (among
> >other things) in a more real-time fashion
> 
> This is an interesting point.
> 
> I'm not actually an ISP guy, although I do play one on TV.  Anyway,
> I hope nobody will begrudge me if I make a couple of brief points,
> and then ask a rather naive question.
> 
> Point:  I have a DSL line which is limited to 6Mbps down and 756Kbps up.
> My guess is that if any typical/average user is seen to be using more
> than, say, 1/10 of that amount of "up" bandwidth in any one given 10
> minute time period, then something is really really REALLY wrong.

No.  Just uploading a video to youtube would cause a false positive
using that test.

You need to know what "bad" traffic looks like to find it.  Packets
flowing != "bad traffic".  Unusual != "bad traffic".

Mark

> Point:  I am already signed up with various services which will send me
> automated emails whenever certain events occur, e.g. when the price of
> 2TB WD Black drives falls below my personal threshold value.
> 
> Point:  My ISP knows my email address.
> 
> Question:  Could ISPs set something up so that each customer broadband
> line is continuously and individually monitored, and so that an automated
> email would be automagically dashed off to the customer if that customer's
> "up" bandwidth in some time period exceeded a value which, for that ISP,
> is deemed "reasonable"?  (I envision the hypothetical email messages in
> question would consist of a non-threatening warning to the customer which
> would include a link to a web page where there would be a list of common
> things end-lusers should check for in such circumstances, along with
> detailed and clear instructions for how to check for each, and also a
> "don't ever bother me with these warnings again" checkbox, and perhaps
> even a friendly slider where the end-luser could adjust his personal
> warning threshold value, for the future.)
> 
> Of course, any ISP that desperately -never- wants to receive -any- end-
> luser support calls quite certainly won't like this scheme.  But I'm not
> sure that that fact alone would utterly disqualify the idea from being
> useful in some contexts.
> 
> The real question is:  Is anything even remotely along these lines even
> possible with existing commonly used ISP infrastructure?  (If not, then just
> forget I mentioned it.)
> 
> 
> Regards,
> rfg
> 
> 
> P.S.  One possible big advantage to the kind of system described above is
> that if an ISP received a complaint about a given customer, alleging that
> the customer is running a bot, then the ISP could go and look at the
> warning settings for that customer.  If that's already been set to
> "don't ever bother me', then the ISP can disconnect the customer, and
> when the customer inevitably saquaks about that, the ISP can respond and
> say "We told you so."
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org


More information about the NANOG mailing list