North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Assigning a fine (Was: Quarantining infected hosts (Was: FBI tells the public to call their ISP for help))

  • From: Frank Bulk
  • Date: Mon Jun 18 07:21:31 2007


Assigning a fine doesn't win any friends.  The customer is already miffed
that:
a) we talked to them and wasted their precious personal time
b) 'accused' them of malicious activity
c) that we took them offline
d) that they'll now need to spend $100 at a computer shop or use up goodwill
credits with computer-savvy friends to fix it up.

No, fines don't help, at least for the majority of people.  If they care in
any way they will try to get it fixed ASAP, and if they don't care, well, we
don't feel too bad then if we have to disconnect them.  Again, that's rarely
the case because 99% of people really do care.

Regards,

Frank

-----Original Message-----
From: Jeroen Massar [mailto:jeroen@xxxxxxxxx] 
Sent: Sunday, June 17, 2007 9:15 AM
To: frnkblk@xxxxxxxxx
Cc: 'Sean Donelan'; nanog@xxxxxxxxx
Subject: Quarantining infected hosts (Was: FBI tells the public to call
their ISP for help)

Frank Bulk wrote:
> The Billy Goat product only seems to detect and notify nefarious activity,
> but it does nothing for the owned clients.
> 
> I want something that restricts my owned subscribers to downloading
updates
> and tools while preventing them from spewing forth more spam and the like.

A Billy Goat will nicely quarantine the host that is infected, that is
the whole goal of the system. What access is still allowed when the host
is in that quarantine is of course a matter of policy. Allowing them to
access things like Windows Update and providing at least a good
virusscanner + SpyBot Search&Destroy etc is most likely a good thing to
do for these situations.

IMHO ISPs should per default simply feed port 25 outbound through their
own SMTP relays. BUT always have a very easy way (eg a Control Panel
behind a user/pass on a website) to disable this kind of filtering. This
is what XS4all does and it seems to have a lot of effect but still
allows anybody who doesn't 'want' this protection to use the Internet
the way they want it, and not the way that is prescribed before them. Of
course, when they disable the filter it becomes very easy when something
does go wrong to laugh at them and not allow them to turn the filter off
unless they pay a fine or something similar ;)


For that matter, why don't ISPs start doing that: Introduce a fine. When
somebody gets infected, and thus doesn't take good care of his/her/it's
computer fine them. Let them pay say $25 to get fully back on the
Internet and only allow a very slow rate of traffic in the mean time.

Of course, the argument most likely goes then that they will swap ISPs,
but they will quickly run out of those and of course ISPs don't want to
lose clients over it, as the ignorant are the ones that provide the
simple cash.

> Mirage Networks is the closest to it, from my limited knowledge.

As mentioned, there are most very likely different products in this area
which can resolve your problem. Also one can always run your own(tm).

Greets,
 Jeroen