FCC Chair Calls On ISPs To Adopt New Security Measures

alphadogg writes "U.S. Internet service providers should take new steps to protect subscribers against cyber attacks, including notifying customers when their computers are compromised, the chairman of the FCC said Wednesday. Julius Genachowski called on ISPs to notify subscribers whose computers are infected with malware and tied to a botnet and to develop a code of conduct to combat botnets. Genachowski also called on ISPs to adopt secure routing standards to protect against Internet Protocol hijacking and to implement DNSSEC, a suite of security tools for the Internet's Domain Name System."

Spam

Hey, its about time. Maybe this will start helping to cut down on spam as well. As long as the ISPs do what they are supposed to do.

Re:Spam

[Novin]

USA != The Internet, but sure, USA by itself is the source of almost as much spam as the other 9 top countries combined.

Re:Spam

[hairyfeet]

Actually I've seen this in action and all that happens in reality is the ISPs use this as an excuse to toss any customers that actually use the bandwidth they paid for. Both the local DSL and WISP providers will just say "You must have a virus" and turn off your connection if they decide they don't like what you are running or how much you are using, the WISP going so far as to say "You can't run our scanner so you must be infected" when i was running PCLOS on my laptop.

Remember folks the ONLY customers these ISPs really want is what they call the "granny" customers, where all they do is check email and then log off like its 1994. This is because none of the major ISPs are rolling out shit for bandwidth upgrades, instead just sticking those profits in their pocket. Any excuse that lets them toss more people that actually use resources is quickly jumped on and this way they can say "We are protecting the network" instead of "he actually used HALF the bandwidth that is in his contract, can you fucking believe it?" and gives them a nice legally sound out even when the customer isn't hitting the caps, just using close to it.

Torrents

[mehrotra.akash]

Will torrent clients be classified as malware as well?

Re:Torrents

I doubt it. It would jack with MMOs as well. Games like WoW use BitTorrent in their update process for example. I doubt they want to piss off some big customers.

Re:Torrents

[gman003]

Even if so, it's not problematic.

All this is (going by the summary - article's still loading) is notification. "Hey, we noticed your machine seems to be infected with a virus and is part of a spam-spewing botnet. Here's some links to antimalware that'll clear that right up". "Hey, we noticed a lot of traffic from spyware sending every keystroke back to totally-a-legit-site,cn, you might want to scan for that". "Hey, you seem to be torrenting massive files 24/7, here's some MAFIAA propaganda telling you to stop copying those floppies".

Re:Torrents

[causality]

I doubt they want to piss off some big customers.

If that's the only societal force that can spare us, then we're screwed. Big customers can be whitelisted or "undesirables" can be blacklisted.

I think what we need is to promote an awareness of just how important the Internet is, that screwing around with it for any reason other than good engineering is a bad idea. For example, the DNSSEC mandate is actually a sound idea and stands a good chance of working better than what we have now.

The moment an anti-malware system starts intentionally hindering many (or all) torrents is the moment it ceases to be a technical solution and changes into a political tool. You don't need to understand the technical details of how BitTorrent works to understand this. We need a general public that understands this, for the same reason we need to understand that "think of the children!" includes concern for what kind of authoritarian, regimented society we're leaving them to inherit.

I have to assume that any mandate to "protect against botnets" that could ever be construed to mean bans on entire protocols is going to be inevitably abused. Authoritarian types look for such "opportunities" just as businesses look for new markets. Power is just a different kind of currency.

Re:Torrents

[DigiShaman]

Time Warner has been disabling user for malware for about 6 years now. Actually, they get redirected to a web page telling them to call the abuse department to review why the account has been temporarily disabled, agreeing to clean up the pc, and then the account gets renabled.

The web page they direct customers to is http://www.rrsecurity-abuse.com/abuse.php

Actually, everyone should review it. It's nicely layed out for ISP standards.

Re:Torrents

[parlancex]

Actually, there are probably a lot of malware authors giddy at the thought of a legitimate malware notification service. There have already have already been large phone campaigns by botnet creators with the phony premise that the callee's computer is infected, with phony instructions to remove the infection (install new malware, obviously). Once there actually IS a legitimate service doing this it will be even harder for less tech savvy people to tell the difference.

Re:Torrents

[Joe_Dragon]

also lot's of fake anti malware software out there

Re:Torrents

[Oxford_Comma_Lover]

We need a general public that understands this

Good luck.

What we need is a court system that understands this and a way to apply the First Amendment to the ISPs. If it is spun as censorship rather than as requiring people to know stuff, it stands a much better chance politically.

Re:Torrents

[PopeRatzo]

I think what we need is to promote an awareness of just how important the Internet is, that screwing around with it for any reason other than good engineering is a bad idea.

First, we might need to promote an awareness of just what the Internet actually is. How it works and why.

We've got young people who don't recall a time before Internet, and don't know how and why it came into being and know nothing about it's potential. To many of them, it's just another shopping mall/arcade.

For my money, the Electronic Freedom Foundation is currently doing the best work in this regard, so I send them money. But it also takes those of us who do have some awareness of these things taking the time to explain it. To advocate for it. To protect it. We have to make sure our shared memories, our shared culture, survives.

There are a lot of powerful forces that would love to turn the Internet into the home shopping network on steroids. Into a one-way media outlet that tells us what's what. Into just another "cool" medium.

We have to use the power of our oral tradition and our written tradition to spread the word on a person to person level. One to one and one to many. We must fight on the blogs, we must fight in the comment sections, we have to fight on the streets and on the beaches, We must never surrender. (OK, I got a little carried away at the end there, but you get the idea).

Re:Torrents

[fluffy99]

Even if so, it's not problematic.

All this is (going by the summary - article's still loading) is notification. "Hey, we noticed your machine seems to be infected with a virus and is part of a spam-spewing botnet. Here's some links to antimalware that'll clear that right up". "Hey, we noticed a lot of traffic from spyware sending every keystroke back to totally-a-legit-site,cn, you might want to scan for that". "Hey, you seem to be torrenting massive files 24/7, here's some MAFIAA propaganda telling you to stop copying those floppies".

The ISPs are really the only ones positioned to thwart attacks as well. For example, blocking an IP that appears to be port scanning or sending high rates of email. Or rate-limiting icmp packets to reduce the effectiveness of DOS attacks. Or perhaps help in backtracking and notify their clients that seem to be participating in DOS attacks or spamming. The slippery slope of course is that if we expect the ISPs to start inspecting and throttling traffic for good reasons, it's not much of a leap to start snooping and throttling for reasons less advantageous to the customers. Not much of a leap from, "Hey that web site you're visiting is hosting a zero-day driveby attack" to "Hey you shouldn't be looking at neekid girls".

Re:Torrents

"...Electronic Freedom Foundation..."

I believe it's the Electronic Frontier Foundation. Did you address the envelope and check correctly? Are you sure your contribution ever reached them?

Re:Torrents

[WaffleMonster]

The ISPs are really the only ones positioned to thwart attacks as well.

I disagree, the government goes after the botnets and shuts them down. They have all the needed logging and C&C data. Your best off letting the virus scanning companies deal with this and colloberate with the government where it makes sense.

For example, blocking an IP that appears to be port scanning or sending high rates of email.

What right does the ISP have to limit me from port scanning or sending bulk mail? I do both on a regular basis for legitimate reasons. Profiling is unacceptable. SMTP email is now worthless thanks to stupid algorithms with thinks every other legitimate message is spam and needs to be silently deleted.

Or rate-limiting icmp packets to reduce the effectiveness of DOS attacks

Please don't rate limit ICMP because it screws up PMTUD and anyone trying to troubleshoot real problems. Smurf attacks don't work anymore have not for many years. All ISPs need to do is enable ingres filtering.

Re:Torrents

[wisty]

1) Registar an organization called "Electronic Freedom Foundation"

2) ...

3) Profit!

Re:Torrents

[fluffy99]

I don't want the govt involved in the internet, and they have a crappy track record on dealing with botnets.

If you're port scanning multiple IPs, then you fit the profile of an attacker and need to be looked at. Bulk mail is another issue. It would be reasonable to notify customers that their computers are sending large volumes of email. If the customer isn't aware of it, then they just got a clue that they might be infected. Sending bulk mail, especially not using the ISPs relay, is often against the TOS.

I was talking about inbound as well as outbound. If your ISP sees someone port scanning through their address space looking for open ports, blocking them makes sense. It also makes sense to watch for users inside their space port scanning. It's no different than the cops stopping someone who is walking through the neighborhood checking the doors. Rate limiting stuff like icmp works just fine, as does ingress filtering stuff you shouldn't be seeing. If a connection is spewing 500 pings a minute for 10 minutes, it's pretty unlikely it's for a legitimate reason. Another example if dropping packets which appear to be from bogons. Or noticing clients that appear to be doing syn attacks or the like.

Really, it's not hard to detect computers acting badly.

Re:Torrents

[WaffleMonster]

If you're port scanning multiple IPs, then you fit the profile of an attacker and need to be looked at

Are you sure? How many IPs/ports make you suspicious? Who decides?

It's no different than the cops stopping someone who is walking through the neighborhood checking the doors.

Where I live people are constantly going door to door selling crap... For all I know they could just be checking doors... Do I get to call the police whenever I see someone making their rounds down the block?

If a connection is spewing 500 pings a minute for 10 minutes, it's pretty unlikely it's for a legitimate reason.

Lets see MTR to a destination with 20 hops default refresh rate of 1 second. After a minute you just spewed 1200 pings. OMFG call the police!!

Re:Torrents

[biodata]

tl/dr but just a thought: maybe you should have a single message at the top about why the person's account is broken and who they have to call to get it fixed.

Re:Torrents

[msobkow]

More to the point, such legislation to disconnect "infected" machines implies that there is some standard for a "clean machine". And you can BET that "clean machine" model is based on known, locked down, PROPRIETARY operating systems, not someone running their own mods for a Linux distribution.

Re:Torrents

[msobkow]

After all, if you aren't running Government and ISP Supported Operating Systems, you MUST be infected.

So if you run Linux, BSD, or any other "fringe" OS that isn't supported, you get disconnected.

Right?

Re:Torrents

[PopeRatzo]

I believe it's the Electronic Frontier Foundation.

Oh shit. I should have just said "EFF".

I should never drink and comment. Hell, last night I played my harmonica and it registered a .23

Re:Torrents

[jc42]

... maybe you should have a single message at the top about why the person's account is broken and who they have to call to get it fixed.

I already get lots of notifications that my computer is infected. But they don't make me waste time talking about it to some drone off in India or Malaysia who's just following a script. They give me a direct link to where I can download a tool to clean up my machine.

And most of them don't even want to charge me for this service. ;-)

Re:Torrents

[hairyfeet]

Just don't let anybody light a match near that harmonica while you are blowing or you may end up with the most fucked up looking flamethrower you have ever seen. To be fair it does have some really nice overtones as the metal heats up, with the bluer flames giving it almost an octave overtone, well until your hair catches on fire or the harmonica gets too hot and you pass out only to find your friends have put it on YouTube the next day under "Dumbass with a harmonica" that is.

Re:Torrents

[Rogerborg]

Virgin Media nee Blueyonder nee Telewest nee Cable and Wireless have been doing it since the 90s. I was particularly amused when they cut me off back in 2001 because I was infected with "Code Red". An interesting conversation ensued with a front line techmong about which of my Lunix boxen were likely to have Microsoft IIS running on them.

Re:Torrents

[jc42]

If a connection is spewing 500 pings a minute for 10 minutes, it's pretty unlikely it's for a legitimate reason.

Lets see MTR to a destination with 20 hops default refresh rate of 1 second. After a minute you just spewed 1200 pings. OMFG call the police!!

Yeah, and this reminds me that in several discussions on this topic, I've commented (or seen others comment) that various so-called "security experts" like to classify pings as attacks. This almost always gets pooh-poohed by other readers. But we just saw a /. reader claim that 500 pings per minute (about 8/sec) qualifies as an attack.

I've often found that it puts things into perspective to mention that many of the claims of "attacks" that you read about are in fact counting ICMP packets. This is a good way to inflate your numbers in your scare story. But, as with the above suggestion, any numbers you read from someone trying to make things look bad are highly likely to be counting things that aren't attacks at all, but are just part of the normal traffic on the internet.

In particular, I've worked on a number of projects to develop network-management software, and it's fun to point out occasionally that nearly everything we're developing would be classified as "attack" malware by most of the network-security folks. On a number of occasions, various management-type people have made it clear that they consider me a dangerous "hacker" simply because I've worked on such things, and seem to know a lot about them.

We can expect that any laws like this will be used to block not just legitimate traffic, but also network-management traffic. Flagging 500 pings a minute for 10 minutes as illegitimate is as clear an example of this as you can get. I routinely run tools that ping a list of sites scattered around the network, typically at 10-second intervals, as a "light" way of measuring network speed. They would almost all be considered illegitimate under this scheme.

Re:Torrents

[biodata]

You can't download any tools if the ISP has effectively cut you off for abuse.

Re:Torrents

interesting.....when my computer got RAT'd i had wireshark logs pointing back to the attacker who was another time warner customer in AZ (im in ohio). when i called time warner and sent them the wireshark logs, they advised me that they would not be taking any action in the matter. I told them they could take the customer offline or i could. They said verbatim "do what you have to do"......i buried a 'bomb' in a tempting looking .exe and waited for him to run it...classy, i know...

called the local police and they told me they would not look in to it since it was a personal computer and not a commercial machine (a machine used in the course of business)

all in all, time warner didnt give a flying fuck that one of their customers was hacking another one of their customers, the police didnt care that laws were being broken and i ended up having to spend a week of my time cleaning my pc and monitoring my network for traces of the malware (im okay with this).....the whole time, being advised that neither law enforcement or time warner was going help me (not ok with this)

Re:Torrents

[Zero__Kelvin]

"The ISPs are really the only ones positioned to thwart attacks as well. For example, blocking an IP that appears to be port scanning or sending high rates of email."

Yeah. That's a great idea! That way, when I do penetration tests on my websites I will just get kicked right off! Thanks for your help, man!

Re:Torrents

[PopeRatzo]

Just don't let anybody light a match near that harmonica while you are blowing or you may end up with the most fucked up looking flamethrower you have ever seen.

Man, the way I play, my harmonica is already a flamethrower. I have to register it as a lethal weapon in 26 states. Kim Wilson heard me and threw his harp in the lake. You heard of Little Walter and Big Walter Horton? Around Chicago, I'm known as Medium Walter.

Re:Torrents

[fluffy99]

"The ISPs are really the only ones positioned to thwart attacks as well. For example, blocking an IP that appears to be port scanning or sending high rates of email."

Yeah. That's a great idea! That way, when I do penetration tests on my websites I will just get kicked right off! Thanks for your help, man!

If penetration testing means you have to port scan your web site, then you're not doing it right. You should already know what ports are open if you or your hosting company have any clue. Running dumb tools like Retina, Nessus, etc really don't show you the true vulnerabilities on a website anyway. THey can't show you crappy programming that doesn't validate inputs and leaves you open to sql injection, or permissions issues on files.

Re:Torrents

[fluffy99]

Instead of nitpicking the numbers I pulled off the top of my head because they might interfere with your particular invented legitimate activity, how about recognizing that outliers in usage patterns often correspond to malicious activity? Maybe 500 pings/minute is a bad example, but certainly that's not the norm for an average customer. How about an ISP noticing that 100 IPs within their address space are sending the exact same http query to a particular website at a very high rate? Surely even you guys would think this might indicate an ongoing DDOS attack that someone should look at. Maybe not block the traffic, but at least record that as an possible indicator for that particular customer .

As for how many IPs/ports for port scanning makes me suspicious - certainly scanning entire subnets looks suspicious. Scanning 100's of ports on a single IP would count as probing and a possible attack. Whether it's a legitimate scan by the website owner is irrelevant with regard to classifying it.

BTW, what possible reason could you have for doing traceroute with a refresh rate of 1 second?

Re:Torrents

[hairyfeet]

Bah! I'd strap on my 5 string and cut heads with ya! Old Gene may THINK he's the God of Thunder but there is only one lord of the wasteland and that is the guy typing this post baby, yeah! if I haven't lost a couple of pounds of sweat and a half a pint of blood on the strings then its just not a good night, hell i even take a 50 footer and hop down there in the front and dance with the teen babes. of course i'm gonna end up having to get a wireless because my little Cherokee princess is none too happy when she sees me bopping with some 19 year old, but you sometimes just gotta take the pain with the pleasure ya know?

Re:Torrents

[Zero__Kelvin]

I don't host my own website, and neither do many on my customers. I guess it never occurred to you that one reason to port scan is to find out if a hosting company has a clue. I'm one of those funny guys that isn't satisfied with calling customer service and asking hey, do you guys have a clue? and then just accepting their answer.

Re:Torrents

[PopeRatzo]

Bah! I'd strap on my 5 string and...

Bass or banjo? I'll assume from your mention of a 50 foot cord that we're talking bass.

I might consider jumping into the mosh pit to dance with the teen babes too, but my wife, a fiery Slav, would go all Slobodan Milosovec on my ass.

Re:Torrents

[fluffy99]

I don't host my own website, and neither do many on my customers. I guess it never occurred to you that one reason to port scan is to find out if a hosting company has a clue. I'm one of those funny guys that isn't satisfied with calling customer service and asking hey, do you guys have a clue? and then just accepting their answer.

Yeah, I get the whole trust but verify thing. I realize there are legitimate reasons to port scan a single IP or do things that could be viewed as an attack, such as verifying a firewall config. It's all about defining appropriate thresholds and using them to flag malicious activity. Port scanning whole class B subnets at a time, or your machine running port scans 24x7 would probably be on the wrong side of that threshold. We could spend all day pointing out fringe cases, but 99.9% of an ISPs customers are going to fall within a fairly well defined realm of normal network activity.

It's been my experience when dealing with corporate or hosting companies that if they have unusual open ports or other obvious security issues, it's rare for them to actually give a crap when a customer points this out.

Re:Torrents

[WaffleMonster]

Instead of nitpicking the numbers I pulled off the top of my head because they might interfere with your particular invented legitimate activity, how about recognizing that outliers in usage patterns often correspond to malicious activity? Maybe 500 pings/minute is a bad example, but certainly that's not the norm for an average customer.

I'm not only nitpicking your examples. I'm nitpicking the underlying concept. The hueristics have all been tried with SMTP and not only has it failed to stop spam but it has made email unreliable and unusable in the process. I prefer not to see the same errors repeated in the name of network management.

The reason for failure is your advasary is a living thinking human being with a brain just like yourself. Every action you take to detect a problem can and will be countered by moderating the system so that it does not trip the thresholds you set. It is an evolution of war unwinnable by either side.

How about an ISP noticing that 100 IPs within their address space are sending the exact same http query to a particular website at a very high rate? Surely even you guys would think this might indicate an ongoing DDOS attack that someone should look at.

Now back to nitpicking your latest ideas... Maybe it is just a popular web site and they have a polling system for dynamic updates such as is very common with news sites, interactive forums, online chat, ebay countdowns..etc. I imagine the same error happened in the minds of the spam fighters who could not imagine that anyone would ever have a reason to send a legitimate email with the word viagra in the subject line.

As for how many IPs/ports for port scanning makes me suspicious - certainly scanning entire subnets looks suspicious. Scanning 100's of ports on a single IP would count as probing and a possible attack

How many IPs are in an entire subnet? A subnet can be a /8 network for all I know?

Why even bother at this point? The world is moving to IPv6 where blind subnet scanning will soon become a fruitless activity anyway.

In terms of scanning 100's of ports on a single IP lets say everyone adds a rule blocking the 100th attempt. The botnet C&C adjusts clients to try a port on the same IP once every hour or so to avoid detection or commands other systems to perform a distributed port scan. Same outcome except now the ISP has wasted tons of cash on expensive high speed DPI gear AND it is now harder for a skilled person who knows what their looking for to understand what is happening.

BTW, what possible reason could you have for doing traceroute with a refresh rate of 1 second?

Your question is really the core issue... The person designing the rules makes the value judgement based on their limited knowledge and as a result things break and people become unhappy because the rule maker turns out to not be as smart as their self image. If you think I'm nitpicking.. the real world is absolutely relentless... Ask the people who wrote mtr why they did it. It is often used to evaluate transient or long term metrics about the network path..per-hop latency, packet loss. I assume it is to keep from having to wait forever to see what is going on and where.

Re:Torrents

[hairyfeet]

Bass, Got a beautiful swamp ash Squire pro tone, the model that actually made them cancel the entire pro tone series because it was eating into the Fender sales. Man they don't make 'em like that anymore, heavy as hell but the wood is just soooo damned sweet, I hit a low note through that Trace Elliot (One of the last ones while they were still made by Brits) and the tone....man. I cut heads once against a guy with a Fender P-Bass through an actual Ampeg all tube 8x10 stack and the next night his band was due to open for mine and I see him reach into his trunk..and pull out an exact duplicate on MY amp. He even went out and bought the Zoom pedal i was using. I said "Hey WTF happened to the Ampeg?" and he said "Shit, you stomped all over my amp on tone, clarity AND volume so i swapped it out this morning, nice huh?" I just rolled my eyes and said "Just don't try taking my 5 string too" and he laughed and said, "Sorry to say they were sold out, I'll have to live with the 4 string".

And you think a Slav has temper? you never met a Cherokee princess before, fiery temper is an understatement of the century! The day she met my mother some gay guy had seen me play at the club the night before and had slipped a note under my door, here she is, first time she has ever got to meet my mother, and she is ranting on the cell phone "Damned right he's hot and HE IS MINE BITCH BACK THE FUCK OFF OR I WILL STOMP YOUR ASS!!!" and all I could do was say "Mom meet my GF Brenda". Hell some gal hopped on the band FB page and was being flirty and it was like a comedy routine "Oh ur so cute" "Yes he is and he's MINE BITCH" "U can do better than her, u should ban her from your page" "Do you want me to come down there and KICK UR ASS SLUT?" back and forth. needless to say the band and my two teen boys were sitting there laughing their asses off while I just sat there totally facepalmed. Ain't nothin more fiery than a Cherokee dude, when people start talking Spanish at her because she is dark enough to pass for Mexican she says "me no Mexican, me Indian, me kind scalp your kind" and waltzes off while they stand there gaping.

But what can you do right? As I have said many times "The wise man knows when to STFU, the stupid man sleeps on the couch" and i'm happy to report i have NEVER had to sleep on the couch.

Re:Torrents

Just reading all the comments i would say its you who overvalue you smarts. Spam filtering and profiling DO work. ISPs do notice spammers and shut them down. Are you saying the problem is to hard so we shouldnt bother trying? Are saying there is no value to antivirus even though it effectiveness is reduced by clever attackers?

Why would you say IPv6 makes ports scanning irrelevant. Getting rid of IPv4 natting increases exposure for most home users as it removes a layer of protection and the probers are now hitting their machines directly instead of bouncing off a nat router.

Re:Torrents

[fluffy99]

BTW, what possible reason could you have for doing traceroute with a refresh rate of 1 second?

Your question is really the core issue... The person designing the rules makes the value judgement based on their limited knowledge and as a result things break and people become unhappy because the rule maker turns out to not be as smart as their self image. If you think I'm nitpicking.. the real world is absolutely relentless... Ask the people who wrote mtr why they did it. It is often used to evaluate transient or long term metrics about the network path..per-hop latency, packet loss. I assume it is to keep from having to wait forever to see what is going on and where.

No the network engineers will simply look at the existing traffic patterns to determine what is normal for their network. Really, I have lots of experience in this area, and it's not difficult to spot the outliers from the norm. I'm not saying blindly block every little suspicous thing (in fact, often the best response is to let an active intrusion continue so you can gather more info). I'm talking about flagging and reacting to the obvious. In some cases the appropriate response might be blocking the traffic, for example decent http proxies can block a response from a webpage that has known malicious code for a virus that's current rapidly spreading. Or notify a home user because he's sending out 10,000 emails an hour with the word viagra using 200 different smtp relays. Or maybe a home user is seen communicating with a known trojan command server, and they simply send that user an email that they need to check their system because it's likely compromised. Perhaps with appropriate intel they determine they can safely block the IP/port of the command server entirely for all their users which kills off a large portion of the botnet. In some cases, the action would be drive by a violation of the TOS or a need to block an ongoing problem.

The ISPs need to get more proactive. They continue to sit back and ignore glaring problems like zombies and spammers because they have no financial incentive to do so. The end result is going to be the govt stepping in and establishing inflexible one-size-fits-all requirements that are guaranteed to step on the legitimate fringe cases. You won't be able to call your ISP and tell them that you really do need port 25 open. You won't get told that it's against your TOS, instead you'll get told that all smtp server need to be registered with the FCC before an ISP can legally allow the traffic. Controls at the ISP and network level are inevitable, and I'd much rather the ISPs have their hands on the controls because I can change ISPs if mine becomes overly restrictive. It's a hell of a lot harder to change my govt.

One likely outcome already seen in some ISPs, is the creation of different levels of service based on the type of connectivity you need (that's where the financial incentive comes in). A basic grandma type of connection would have more traffic controls placed on it (eg they can only send smtp through the ISPs relays). If you're hosting services on your home connection, they might expect you to pay for a fixed IP and give you the ability to specify what services you're hosting. That would simplify things for users like you who like to run MTR against web hosting companies so you get rapid notice when something goes down.

Re:Torrents

[WaffleMonster]

Just reading all the comments i would say its you who overvalue you smarts. Spam filtering and profiling DO work. ISPs do notice spammers and shut them down. Are you saying the problem is to hard so we shouldnt bother trying? Are saying there is no value to antivirus even though it effectiveness is reduced by clever attackers?

I still get spam, and many times a week messages go missing to the ether. It reduces volume but does not solve anything.

I'm saying the network is the wrong place to do something about it. The intelligence is not in the core it is at the edge... Where the intelligence is is where you have the most options to address the problem.

The concept of anti-virus is fundementally flawed. It is useful but the underlying issue of how untrusted code was allowed to execute in the first place is the root problem. Until that is solved we will have duct tape solutions such as anti-virus that are a crapshoot as to whether they detect all threats to the user.

The attempt to have a dumb network understand and mitigate L7,8,9 issues is idiocy.

Re:Torrents

[WaffleMonster]

Why would you say IPv6 makes ports scanning irrelevant. Getting rid of IPv4 natting increases exposure for most home users as it removes a layer of protection and the probers are now hitting their machines directly instead of bouncing off a nat router.

SPI and NAT do the same thing and have the same security properties. The ONLY difference is that SPI does not mangle packets.

The address space of a single /64 prefix is 4 billion times the size of the entire IPv4 Internet. A probe has no chance in hell in finding any client in the first place unless they manually configure a vanity address. This is much better than the current system where viruses can easily scan the entire global address space in a matter of minutes.

Re:Torrents

[WaffleMonster]

No the network engineers will simply look at the existing traffic patterns to determine what is normal for their network. Really, I have lots of experience in this area, and it's not difficult to spot the outliers from the norm

YES. Not all problems can be resolved within your administrative domain. Sometimes coordination with other operators is required.

I am in total awe of your ability to easily detect a request to a C&C server disguised as a request to an AD server.

  It is easy to detect belligerent zombies or anything else sending garbage at line rate. It is however impossibly for everyone but yourself to detect zombies designed to secretly leak only user CC/BANK PAN and high value corporate data.

It is not the ISPs fight no more than it is UPSs fight to make sure the vendor shipped the widget you asked for. They are simply a conduit.

The ISPs need to get more proactive. They continue to sit back and ignore glaring problems like zombies and spammers because they have no financial incentive to do so. The end result is going to be the govt stepping in and establishing inflexible one-size-fits-all requirements that are guaranteed to step on the legitimate fringe cases.

Your examples contradict the need for the ISP to be involved at all. Search engines and browser filter providers can detect whether a site is infected because they have dedicated teams, massive amounts of data and metrics on all sites over time... ISPs do not have that type of data or infustructure or experience to perform such analysis.

Most issues are best mitigated by countermeasures at the edge where the most intelligence resides. The ISP should be treated as a common carrier and only act when the integrity of their network is at risk.

instead you'll get told that all smtp server need to be registered with the FCC before an ISP can legally allow the traffic.

Reality bites... addressing the problem with the wrong tool is not going to fix the underlying issue any more than a law addressing a problem in the wrong way.

One likely outcome already seen in some ISPs, is the creation of different levels of service based on the type of connectivity you need

ISPs are smart to offer value added services such as content filtering although not guaranteed to be effective.

That would simplify things for users like you who like to run MTR against web hosting companies so you get rapid notice when something goes down.

..sigh..

Re:Torrents

[fluffy99]

Most issues are best mitigated by countermeasures at the edge where the most intelligence resides. The ISP should be treated as a common carrier and only act when the integrity of their network is at risk.

What do you define as the edge? The DSL/Cable/Satellite modem in the end users home? Are you trusting the average home user to set that up securely and police themselves? Certainly the consumer grade end routers could benefit from a little more brains and some IDS capabilities, but from a design perspective an independent IDS on each drop is far less effective that placing them in key locations at the aggregate or closet switches. I'm proposing that the "edge" be a few steps closer to the ISP and let them manage the defenses based on an understanding of the bigger picture.

I simply don't accept your notion that the ISPs have no responsibility to police their networks and should do nothing to protect their customers. If they get good information about a user on their network actively attacking someone, I don't want them to say "it's not my problem".

It is not the ISPs fight no more than it is UPSs fight to make sure the vendor shipped the widget you asked for. They are simply a conduit.

UPS and USPS have measures at their central sorting facilities to detect malicious packages containing explosive or radiological hazards. They are common and/or contract carriers, whereas ISPs are not. You might want to brush up on the legal aspects of that, as the ISPs have been lobbying to NOT be considered common carriers as that imposes additional regulations on them.

Search engines and browser filter providers can detect whether a site is infected because they have dedicated teams, massive amounts of data and metrics on all sites over time... ISPs do not have that type of data or infustructure or experience to perform such analysis.

Search engines filtering and browser filters work about as well as antivirus, generally several steps behind and have a poor track record stopping anything new and lots of false positives. Not all malicious traffic is browser based. I believe the ISPs are in the right spot to monitor traffic and detect abnormalities. Web crawling search engines have a different type of intelligence that can be combined to form a bigger picture.

Re:Torrents

[WaffleMonster]

What do you define as the edge?

The peer.

The DSL/Cable/Satellite modem in the end users home? Are you trusting the average home user to set that up securely and police themselves?

Yes. If this is not realistic the answer is to provide the user with necessary tools and or education to make it realistic.

I simply don't accept your notion that the ISPs have no responsibility to police their networks and should do nothing to protect their customers. If they get good information about a user on their network actively attacking someone, I don't want them to say "it's not my problem".

I simply don't accept your notion the ISP should post a full time 24x7 safety officier in each room of a household where networked computers reside. Please enough with the strawmen.

They are common and/or contract carriers, whereas ISPs are not. You might want to brush up on the legal aspects of that, as the ISPs have been lobbying to NOT be considered common carriers as that imposes additional regulations on them.

Whatever makes non discrimination work works for me. I would rather see common carrier than the decay of a competitive market ultimatly enable discriminatory practices with location based degregation and or paywalled destinations and protocols.

several steps behind and have a poor track record stopping anything new and lots of false positives

Do you have a better idea? Would DPI really fair any better? How? On what basis? Might as well bite the bullet and amend the constitution and reality making implemention of RFC 3514 compulsory.

I believe the ISPs are in the right spot to monitor traffic and detect abnormalities.

Why? It is not the amount of traffic it is the content of that traffic that matters as I have tried to explain. What more does an ISP know about content than anyone else?

  A user could drive-by download a script that deletes everything on their computer without sending any signals out twoard the network. How is DPI going to help the user? Implement the very same signature detection schemes as the anti-virus and malicious site services already use?

oh, great, that's all I need...

[Tastecicles]

a popup in Iceweasel saying "Attention! Your computer is compromised!" then some spiel about IE9 and no antivirus...

oh, wait, now where have I seen this before? (link for information only! Do the clicky on "free scan" links at your own risk!)

Re:oh, great, that's all I need...

[chromaexcursion]

a popup in Iceweasel saying "Attention! Your computer is compromised!" then some spiel about IE9 and no antivirus...

oh, wait, now where have I seen this before? (link for information only! Do the clicky on "free scan" links at your own risk!)

I don't know how. But. The idiots that come up with this crap have to be forced to sit behind a 12 yr old, bound and gagged, to understand what they intend. If they die of a stroke from the effort, at least it's one less idiot.

Re:oh, great, that's all I need...

[Tastecicles]

I've seen it before. In case you're not brave, I'll explain.

I'm sitting in front of a LINUX BOX, using Iceweasel, a LINUX BROWSER. Suddenly this popup appears telling me my LINUX BOX has been compromised, tells me I'm running IE9 (ohreali?) on Windows XP (ohreali?). It further tells me, with the help of an "automatic detection tool", that my computer is infected with 100...200...14,000+ WINDOWS viruses (ohreali?). For just $29.99, this amazing tool will "remove all infections in seconds!" (ohreali? Maybe it can do something about this sore throat that's been bugging me...).

At this point, I fell off my chair. I was laughing too hard even to tell my wife why I was in such paroxysms of hysterics. I could barely even inhale.

For those not versed in spotting the scam; the popup contained nothing more than an animated image producing what appeared to be a self-executing security program detecting computer viruses, linked to the real piece of malware - or should I term it scumware? (which is how I described it to the police) - via a merchant account. Clicking on anything but the X in the top right hand corner took you directly to the payment page, but also a popunder which attempted to download a stealth backdoor program into the system (I tried it on the Linux box knowing that since "Linux can't run Windows programs", it surely couldn't run a windows virus - HAH!) (which in turn would have downloaded the biggest load of keyloggers, browser hijacks, IRC clients and botnet clients you ever saw from a SINGLE RUSSIAN SERVER had it the chance). At which point the merchant account then attempted to extort another $299 out of you to get rid of *that lot* - which of course, the scammer had no intention of doing nor did he have the technical ability to do so. Basically you were about to to get screwed out of $329.99 and end up with a doorstop. Best thing to do if you see that thing appear on your Windows box is hardcycle the power and keep the machine off the net until it has had a professional and thorough sweep for scumware.

A variation on the theme (but the same exact scam) involves the user clicking a link on a page hosted on a compromised server. This will install a program into the system tray which changes the desktop background, hijacks your browser homepage, does some weird screwy shit with the registry and does the whole "You're-compromised!" dance all over your desktop. Again, the advice is hard power down and take the box to a shop.

nothing better to do.......

[scottp]

Of course, ISPs' employees have nothing better to do than to notify ~90% of their customers their computers have malware. It boggles my mind the ideas that people come up with (sopa/pipa/acta, logging all connections, etc.) and try to implement about monitoring the Internet with little or no thought to the logistics or funding of their stupid ideas.....

Re:nothing better to do.......

While ISP employees may have better things to do than notify their customers that they have malware, it is very likely they have a number of automated systems intended to detect and counteract such threats (and should be working on procuring/developing such a solution if not), at which point the majority of notifications can be automated, which in addition to saving staff time, can help reduce OTHER ISP staff time expended dealing with load balancing massively oversubscribed pipes when those same systems are used for a DDOS, SPAM campaign, etc and all of a sudden there's so many packets on the network that their under-ventilated routing hardware is operated 20C out of spec.

Re:nothing better to do.......

[lightknight]

Hmm. I'd think termination of their contract, if their machine is caught attacking one of my DNS servers through neglect. I'd take the fiscal hit willingly.

Mind you, the logging used to diagnose who, exactly, is attacking my servers is different from the kind of logging that SOPA / ACTA would mandate (it cannot be modified / re-purposed to fits their needs).

How would they know you have a virus

[Cutting_Crew]

unless they put some of their crappy bloated software on your computer? ISPs ought to be just that. An internet service provider. Give me an internet connection from point A to point B. PERIOD.

Re:How would they know you have a virus

[silas_moeckel]

Virus that make outbound connections to command and control etc can be spotted.

Re:How would they know you have a virus

[chemicaldave]

They don't have to see the infection itself, just the symptoms. Frankly, ISPs could probably give a damn about viruses. It's botnets that are the problem. If they see traffic from your IP directed towards a known botnet command node then they can probably assume your machine was compromised.
Unfortunately the issue of inspecting traffic is a tricky one, etc, etc.

Re:How would they know you have a virus

[Sulphur]

They don't have to see the infection itself, just the symptoms. Frankly, ISPs could probably give a damn about viruses. It's botnets that are the problem. If they see traffic from your IP directed towards a known botnet command node then they can probably assume your machine was compromised.

Unfortunately the issue of inspecting traffic is a tricky one, etc, etc.

Perhaps if it were done by a piece of hardware that had no other function than that of reading headers.

Re:How would they know you have a virus

[wanzeo]

My brother's windows 7 box started running slow two weeks ago, but other than that there was no sign of a problem. He attributed it to ageing hardware and kept it on. Within 24 hours the ISP called him and told him he had a serious malware infection. They sent him an exe (apparantly they knew exactly what was wrong), and it fixed it perfectly.

This shocked me, because usually I love to hate the local ISP, but you have to admit, that is some good service. So I guess I would draw the line at being able to identify a specific problem. If it is just suspicious traffic patterns, innocent until proven guilty.

Re:How would they know you have a virus

[lightknight]

Not so much. The machine which is being attacked typically has a competent admin who will capture the IP addresses of the attackers (assuming the packets are not forged), who can then forward the addresses to his / her upstream network provider. Directly contacting the ISP of the afflicted machines would require some extra work, but is possible.

No inspection of traffic is needed.

Re:How would they know you have a virus

[biodata]

unless virus uses vpn and tricky routing

Re:How would they know you have a virus

[biodata]

So someone called up your brother, told him they were from the ISP, and manipulated him to run some software on his computer? That all sounds rather dangerous to me. How did he know he could trust this person?

Re:How would they know you have a virus

[silas_moeckel]

Still possible to spot them, VPN's have to terminate somewhere, tricky routing as in overlay networks still need to eventually connect to command and control. Remember this need not be perfect if it just notifies the end user that they might have an issue rather than automatically blocking them.

Re:How would they know you have a virus

Obligatory SMBC: http://www.smbc-comics.com/index.php?db=comics&id=2526#comic

Re:How would they know you have a virus

[jc42]

My brother's windows 7 box started running slow two weeks ago, but other than that there was no sign of a problem. ... Within 24 hours the ISP called him and told him he had a serious malware infection.

I got a call a few years ago from my ISP, telling me that there was a "virus" in my machine. The person calling described it, and I told him the name of the malware. He was a bit surprised by this, and I asked when they'd first seen it. It turned out that it was six months earlier, but they'd just got around to handling it. I asked him if they'd seen any evidence of it in the past few months. After a bit of a pause, he said they hadn't. I told him that I'd found it myself about six months ago, and it was no longer running. He thanked me, and hung up.

So I'm not too impressed by the idea that ISPs should do this sort of job. I can think of a number of much better ways to do it.

As others have said, an ISP is most useful if they just do one job: provide Internet connectivity. They should have experts on maintaining the wiring, running routers, etc. Traffic analysis is much better handled by people who understand that job. Looking for malware is better handled by people who understand that, on the specific OSs that are in use. Few ISPs are likely to be competent at this on anything but MS Windows, and rarely even then. It's not their job, and if they're ordered to do it, they'll do a half-assed job and we won't like the results (though we'll pay for them).

Most ISPs also provide things like DNS and email, and in my experience, they are usually the worst sources for these services. To make the routine automotive analogy, asking them to provide such services is about as sensible as asking your local highway construction and maintenance companies to also be a package delivery service.

Not that I'd expect anyone in a legislative body to understand any of this. Writing such things into law is just insane. That's why standards (and other regulatory) agencies were invented.

Re:How would they know you have a virus

[wanzeo]

Good question, I just checked. The exe was emailed from an address at the ISP's domain. Not sure how hard that is to fake, but I would have trusted it too.

However, after reading the rest of this thread, I think I have changed my mind. Malware control is a job for OS developers, and in extreme cases the police. The ISP really shouldn't get involved.

Re:How would they know you have a virus

Good question, I just checked. The exe was emailed from an address at the ISP's domain. Not sure how hard that is to fake, but I would have trusted it too.

Just for future reference: trivial.
(Unless you were looking at cryptographic signatures, in which case it would be very hard... But I'm yet to receive signed emails, even from teksavvy companies)

Don't want your protection

[Nonillion]

I don't need your stinking protection, I've been doing just fine since 1993.

Now excuse me while this strange web site forces my browser to full screen and scans my Linux Box for viruses...
 

Re:Don't want your protection

[Fluffeh]

Now excuse me while this strange web site forces my browser to full screen and scans my Linux Box for viruses...

I recently started getting calls to our home phone number (which is a silent number mind you) from those lovely "Hey, I'm calling from Microsoft to say that you need to install this program to fix your computer..." folks in some nasty call centre. While I do have a few windows machines around, the majority are also linux. I find it strangely pleasing following their instructions, but seeing how long I can drag out the fun for - not pressing the right things, getting them to repeat the instructions over and over again, trying to get them to hang up. My current record is 21 minutes, while they are peddling crap, you got to hand it to them - they really are patient when trying to snarf your money.

Re:Don't want your protection

[Nursie]

I commend you patience. The last one I got went like this -

*ring ring*
(indian voice)"Hello sir, Microsoft has been doing a survey of your area and"
"No they haven't"
"yes they have, and we have found a higher than normal incidence of viruses in your area"
"No, they haven't, you're a liar"
"No sir I am not lying. Our records show that you have a computer attached to the internet"
"Right, you've got me out of bed at 9am on a saturday and lied to me three times in the course of ten seconds. F*CK OFF AND DIE YOU EVIL SCAMMER, I HOPE YOUR WHOLE FAMILY DIES IN PAIN" *hangup*

I'm not very friendly if you get me out of bed in the morning at the weekend. In retrospect that may have been overly nasty.

Re:Don't want your protection

[Neil+Boekend]

I'm not very friendly if you get me out of bed in the morning at the weekend. In retrospect that may have been overly nasty.

No it wasn't.

Re:Don't want your protection

I managed 40 minutes. I installed their remote control software in an old Windows 2000 VM. They were really confused because the ancient version of Internet Explorer only supported 40-bit SSL and wouldn't connect to PayPal. While they dicked around in the VM I carried on working. Eventually they installed Firefox, connected to PayPal and when they asked me to enter my details I just laughed at them. Good times.

Customers don't CARE

[Kurlon]

Unless you do something along with the notification to make a customer actually ACT to clean up their system, they won't. As soon as you start taking customers offline when you confirm their compromised, they'll jump ISPs. It's a no win situation.

Customer Contact

[Nethead]

Back in the late '90s that's how we worked at ISPs. If we notices weird traffic on an account or were getting spam complaints, we'd call up the customer. If we couldn't get a hold of them we would disable the account until they called. Some kid pumping out Make Money Fast emails, we'd call mom and have a chat.

Then all the local ISPs got bought up by telco and cable companies. The price didn't go down, just the service.

I'm glad I'm still on one of the last local Mom&Pop ISPs in the area, when I call support I get a guy that actually has enable to the routers. It costs about $15/month more but I'm willing to pay for the service I get.

Re:Customer Contact

[parlancex]

... when I call support I get a guy that actually has enable to the routers. It costs about $15/month more but I'm willing to pay for the service I get.

I would gladly pay more than $15 extra for that level of support.

My ISP has had a problem with what I suspect is a fibre media converter that is causing high packet loss with packet sizes 1350 to 1500 bytes. My friends and I who live in town all set our MTU manually to about 1300 to avoid the problem, but everyone else in town using this ISP is stuck with websites that time out randomly for no reason, web pages that fail to load randomly, etc.

I tried to explain to support that they need to run a ping size sweep on their router so they can see the packet loss but they guy seriously fired up a windows command prompt from his support machine and ran ping with the default arguments to my home IP address, said all 5 packets were okay, and that nothing was wrong.

Re:Customer Contact

[jdogalt]

mod parent up. I've got a mod point left, but had to add my own longwinded comment below, that is perhaps better expressed via the parent comment. I.e. yeah, forcing new software on ISPs and unexplained how its going to be written and deployed is a bad idea. But making lazy ISPs, or rather, ISPs that don't want to scare away their consumers, tell the customer when existing software they are running has detected a known malware traffic pattern, seems like a really good idea. And forcing DNSSec support on ISPs... Ok, I guess my superficial reaction was positive on that one, but upon deeper reflection I don't see how any kind of DNS should be mandated by ISPs, when the job is better done by customer's own OSs and the myriad of global servers they are talking with.

Re:Customer Contact

[TubeSteak]

I tried to explain to support that they need to run a ping size sweep on their router so they can see the packet loss but they guy seriously fired up a windows command prompt from his support machine and ran ping with the default arguments to my home IP address, said all 5 packets were okay, and that nothing was wrong.

1. The default # of packets for windows' ping is 4 (as far as I can recall)

2. Sometimes you have to ask to speak to another support tech until you get escalated to someone who has the ability to understand you.
If that fails, you can always try complaining on social media or launching an executive e-mail carpet bomb

Re:Customer Contact

[heypete]

Indeed. Cox, a cable ISP in the US, was silently re-writing DNS TTLs from whatever value the authoritative nameserver had set to 30 seconds. It didn't matter if it was a long-lived NS record or a short-lived dynamic DNS entry, everything got changed to 30 seconds. Even the entries for the root nameservers were cached for 30 seconds, increasing their load.

When I had their service and this was affecting me I wrote to their customer support and prefixed the message with a "This is a specialized technical issue about Cox's DNS servers and is not addressable by customer support staff. Please forward this to the systems/network administration folks." The message included a quick summary of the problem, results of dig tests on both Cox's and third-party resolvers, etc.

I got a response two days later saying "We're sorry you're having difficulty setting up your wireless router. You might find the instructions at $URL helpful..."

After that point, I stopped bothering and switched to Google Public DNS. Google's nameservers respected TTLs, didn't do the SiteFinder interception of non-existent domains, and actually had better performance.

what?

I expected something so silly spewed from a technology ignorant, grandpa Senator. But the chairman of the FCC?!

Stuff like this makes me wonder if democracy works.

Re:what?

[jc42]

I expected something so silly spewed from a technology ignorant, grandpa Senator. But the chairman of the FCC?! Stuff like this makes me wonder if democracy works.

Sure, it works. The FCC's head is a political appointee, and he was appointed by the president that the majority (of the Electoral College ;-) voted for. In a democracy, job holders are decided by voting, not by requiring credentials. If the voters want someone competent, they'll vote for someone competent. If they want a president who appoints competent people, they'll vote for a president who's interested in competence.

(Not sure if I should include a ;-) here ...

One Has To Wonder About Motivation

[Jane+Q.+Public]

Given that most knowledgeable people seem to think it's a bad idea... I have to wonder why government keeps coming up with schemes that essentially require monitoring by the ISP.

I mean, when you consider that as a practical matter, an ISP is (or at least should be) just a common carrier, like a telephone company. In fact the FCC originally -- and even very recently -- wanted to classify ISPs as common carriers. Which would preclude any monitoring. So what's up with all these monitoring ideas?

Are they maybe just trying to get some kind of monitoring in place, so that they can expand it later?

Re:One Has To Wonder About Motivation

[CodeBuster]

I have to wonder why government keeps coming up with schemes that essentially require monitoring by the ISP.

Governments cannot abide anyone but themselves with secrets.

Are they maybe just trying to get some kind of monitoring in place, so that they can expand it later?

Yes. It's like the amphibian in the pot. Turn up the heat gradually and it will remain even after the water is boiling.

Re:One Has To Wonder About Motivation

Because it's logical that a Service Provider provide for the integrity of the service and the safety of it's customers.

Just like it's logical that AT&T 'protect' me from the illegal use their network POTs network... unless it's the Gubment that's breaking the law, of course.

Re:One Has To Wonder About Motivation

Given that most knowledgeable people seem to think it's a bad idea... I have to wonder why government keeps coming up with schemes that essentially require monitoring by the ISP.

That's because, once installed, the system can be used for other purposes and access to it sold on to commercial "supporters" to make money.

make it opt-in and I will

[jdogalt]

There seem to be a lot of negative comments about this, and perhaps some with subtle good reason. But I really like the idea, if it's implemented as opt-in, and boils down to "if any existing software run by the ISP believes that my computer is running known malware based on known traffic patterns, send mail to either or both of the email address and physicial address I registered during the opt-in process". To me this sounds analagous to the security breach notification laws corporations are subject to in some jurisdictions, and I believe those are generally a good thing as well. Without them, you get the status quo, which is things like Nortel knowing they were compromised for years, and just not caring. I actually think this is likely the status quo at all major organizations. I mean really, do you think if microsoft/google/etc found out that major fractions of their internal infrastructures had been owned by foreign government X for the last 5 years, that without laws they would ever _do anything about it_ if the attackers were friendly enough to just be sucking data about their engineering and customers, and not actually impacting the day to day monetary business? I'm pretty sure what would happen in such a case would be some management screaming at some overworked internal security folks. And then the internal security folks would either brush the problem under the rug, or get fired when they explained exactly how many resources it would take to remotely adequetely stop the espionage threat from government X. Bottom line- forcing by law companies to notify their customers when existing software discovers exploits seems like a really good idea to me. Yes, there will be some resulting pressure to just turn off their internal checks, but honestly, that doesn't bother me at all if when those internal checks were finding things, they weren't going to bother telling the customers anyway. In fact, my optimistic hope, which I think is quite reasonable, is that when the actual scope of these things is forced into the public view, that the horrendous security practices responsible, will actually get remedied in the right ways. I truly don't get why there is so much resistence here to this idea- fundamentally (as I described above, i.e. not mandating new software be run, but just that if existing software already running thinks a customer is owned by hackers, that they take the trouble of notifying the customer.

Common carrier

I would my telephone company to detect telemarketers and take steps to prevent them from calling again.

Common carrier status

If they begin interacting and/or controlling users connections in some way such as possibly suggested, would these actions remove the provider (LEC/CLEC) from common carrier status?

The wheelchair's man dooms you!

[JCPM]

Universal Theorem: a zombie can't be killed twice.

Wow...

[Higgins_Boson]

Sounds like just another law coming around that will have tons of back doors in it, allowing them to say that pretty much anything is bad.

This needs to be shot down before it can take its first breath.

It will NEVER happen

[Charliemopps]

Having worked for multiple ISPs I can absolutely guarantee this will not happen.

1. Most importantly: Figuring out who is infected is a huge amount of work. We'd need to scope out millions of dollars in project work to design a system to detect who has a problem, processes for creating tickets for people to notify them, hire people to do all of this work, then maintain this entire elaborate system every time we make a change to our network, our repair structure, etc... Even if the government funded a system, every ISP's internal structure is totally different. It would never work for more than 1. They'd have to fund every ISPs program individually, and the ISPs would suck up that funding like vampires and have little to show for it in the end.
2. To notify the customer automatically you'd need to either A: send them an email, which about 98% of your customers don't use the email address you gave them or B: Redirect them via your DNS server to a warning page. But if they aren't using your DNS that's not going to work, and the people writing the malware/bots will figure that out and either block your warning page, or more simply change the customers DNS server to googles or something and your entire system is useless.
3. When we do notify these people what is the very first thing they are going to do? Call the ISP. What is a virus? How did they get it? When are we going to fix it for them? Well they got it on our internet, they never had viruses when they had dialup... It's an hour long call at least. That just cost the ISP $20 and the customer is going to hang up and do nothing.
4. It's of absolutely no benefit to the ISP to do anything like this. So what if the customers are infected? They have the internet, malware doesn't hurt the ISPs network unless the ISP itself is the target witch is rarely the case. Even if one of the ISPs customers is the target they just adjust a few routers and the problem goes away. The customer is blissfully unaware of their problem and paying their bill. You don't mess with that. And yes, customers really are stupid enough to think the malware they have had for years and didn't know about, but were suddenly notified of when they signed up for your service, came from you.
5. Almost every ISP in the united states sells some sort of malware/antivirus package now. You're asking them to subvert their own product. Good luck getting that past product development.

And lastly, I want to re-iterate... the customer will DO NOTHING. They already know they have malware. Their computer runs like shit. They have habits that lead to them having malware. They bought their computer 10 years ago, their way of "fixing" it is using the Dell system restore disk that game with it that reverts it to the original unpatched version of XP. Then they install the pirated versions of autocad and photoshop they got from their brother-in-law 6 years ago, they sure are glad they kept all those CDs he burned... Then they go to bed, their teenage son gets up and surfs porn with IE6 from that fresh XP install, for a couple of hours. He erases the history... his tracks are covered.

Re:It will NEVER happen

[Zebai]

It already happens. Time Warner and Comcast both have botnet detection. They put you a restricted walled garden until you take steps to remove it. There is no email and there is no hugely complex packet sniffing software. Its quite easy to detect such botnet traffic as such traffic is very predictable in nature. Your computer sending large amount of traffic to some known botnet location? Redirect all traffic to some basic HTML page with instructions. Customer does nothing and just lets it stay that way? No prob you can pay for service that you don't use all you want to.

Re:It will NEVER happen

4. It's of absolutely no benefit to the ISP to do anything like this. So what if the customers are infected? They have the internet, malware doesn't hurt the ISPs network unless the ISP itself is the target witch is rarely the case. Even if one of the ISPs customers is the target they just adjust a few routers and the problem goes away. The customer is blissfully unaware of their problem and paying their bill. You don't mess with that. And yes, customers really are stupid enough to think the malware they have had for years and didn't know about, but were suddenly notified of when they signed up for your service, came from you.

*lol* - I'll second this: About a decade ago I saw a small business getting walloped by worm traffic to the point where it was suffering from the degraded link speed (firewall drops packets on the CPE side of the link, you see). I called the ISP and said "can you filter these ports, this traffic is getting heavy?" and the response was "no chance, once it enters the network we get billed from our upstream provider, so we need to deliver it somewhere so that we can charge for it" !

[And three cheers to the captcha: plunder]

Re:It will NEVER happen

[Charliemopps]

The "walled garden" you're talking about is a simple DNS redirect. I addressed that in my post. I suppose you could just disable their internet altogether... I don't see that as profitable do you?

Re:It will NEVER happen

I have worked for an ISP for the last six years. We can, without any substantial changes to our network structure, detect evidence of botnet activity and easily tie that back to individual customers (harder to tie to individual machines but it can be done). My employer currently admins down any customer that appears to be infected with malware that poses a risk to our network stability (things attacking DNS structure or etc) and could easily extend that to botnets. We probably should extend it to botnets.

When a customer signs up for service with us they sign an agreement that, among other things, "stipulates that software uploads and downloads will be defined as interactive sessions and reserves the right to terminate any connection it deems to be a non-interactive session." Further "services should not be used to send unsolicited advertising or promotional materials" and "send unsolicited mass emailings from any Internet account" or "services for the collection or distribution of address lists to be used for such purposes."

Additionally "Any use of system resources that disrupts the normal use of the system for other customers, or the use of other systems by their respective users is considered to be abuse of system resources and is grounds for administrative intervention." "Accounts which are locked or terminated as a result of violations of this agreement or any applicable laws will not be eligible for any monetary refund, and may be subject to additional administrative charges." "Confirmation of violations may result in cancelation of the individual account and/or criminal prosecution. The account suspension may be rescinded at the discretion of the Operations Manager, following payment of a reconnection charge."

I would guess that MOST ISPs have some form of agreement along the same lines. It provides legal protection to the ISP if it becomes necessary to terminate service or etc.

As to the walled garden comment, if we detect malicious traffic from a customer network (be it individual computer or large network) we inform the customer and give them a time frame to remove the infection and failure to comply results in loss of service. We don't bother with restricting their DNS, we just terminate service until they can prove that they have removed the malware.

Re:It will NEVER happen

[jc42]

And yes, customers really are stupid enough to think the malware they have had for years and didn't know about, but were suddenly notified of when they signed up for your [ISP] service, came from you.

Actually, under the proposed scheme, this isn't at all stupid; it would be the sensible approach. After all, the ISP has been officially and legally assigned the task of monitoring all the customer's IP traffic for malware. The fact that it's on my machine means that the ISP totally failed at their government-required task. They are clearly responsible, according to the law, and have allowed the malware to transit their part of the network. They should be responsible for fixing the damage.

If the ISPs don't like this, they should be seriously lobbying against such laws, and for a "common carrier" status that doesn't make them responsible for "content" in this way.

ISPs just say no

[WaffleMonster]

Although it seems like a great idea for ISPs to try and help customers in reality they won't do it. FBI recently tried to send notifications out to ISPs to notify their customers but their data was screwed up and 100% worthless.

ISP: (Calling john smith)..
JS: Hello

ISP: Hello, I'm from x and your computer is infected with y.

JS: No I will not install your malware you must be trying to scam me.

JS: I have no idea what you just said...don't call back.

JS: You allowed my computer to be infected?!?

JS: I have to pay you to fix it for me?!? WTF!

JS: How do you know? Are you spying on me???

JS: My computer works fine, leave me alone.

FCC chair should mind his own store first

[Karmashock]

The FCC is currently mismanaging radio spectrum sales and partitioning. That is their primary function. Do that and once you're doing your ACTUAL job then worry about the internet which you in fact have no authority over.

The FCC seems to be trying to fail up. TV viewership is dying so they're trying to expand themselves into the internet. I get it. But first maybe they should sell off that radio spectrum and do their actual jobs.

Re:FCC chair should mind his own store first

The FCC has ditched their original mission statement (look it up and read it ya lazy fucks), screwed up regulation of power and frequency (the only thing they should be regulating), and now this stinking mission creep over to wired networks (presuming authority.)

Considering the FCC chair is a presidential appointee, perhaps it's time to take the power of the FCC board away, and hand it over to the people. Let the people vote. (just not on those electronic vote tabulation devices)

TAKE AWAY THEIR POWER AND LET THE PEOPLE VOTE.

Re:FCC chair should mind his own store first

[racerx509]

The FCC is currently mismanaging radio spectrum sales and partitioning. That is their primary function. Do that and once you're doing your ACTUAL job then worry about the internet which you in fact have no authority over.

The FCC seems to be trying to fail up. TV viewership is dying so they're trying to expand themselves into the internet. I get it. But first maybe they should sell off that radio spectrum and do their actual jobs.

except for the fact that the original mission of the FCC was to regulate communications mediums by wire or radio. In the very beginning, their roots were traced to the FRC and they used the reasoning of spectrum scarcity to regulate radio waves, but it spread to broadcast and wire due to the pervasiveness of the medium. Like it or not, legal precedent is on their side until someone challenges it.

Re:FCC chair should mind his own store first

[Karmashock]

There is no scarcity of cable. And the industry being what it is can strangle the FCC where it stands if it makes a point of interfering.

The FCC really should concern themselves to their actual jobs which indifferent to their roots remains partitioning the radio spectrum and managing its use. If they can't do that much then they have no business touching the internet.

We won't put up with it.

Comcast already does this

[WrecklessSandwich]

I got a robocall from Comcast a few months back advising me of an infected machine connected to my network. Sure enough, my parents' computer had a bunch of trojans on it that would probably have stuck around for a couple more weeks had they not called me.

This? Or better infrastructure/faster internet?

It's not a (only) a question of whether or not this would be able to be pulled off in a way that wasn't intrusive or engaging in censorship. It's also a question of: Is this really how we want the limited funds to be spent? Do we, the customers, want our ISP's to be checking for malware, rather than say, increasing our connection speeds? Or say, lowering the price? Some may say yes, while many will say no. Personally, I think I'd rather just see an opt-in option where ISP's offer this kind of service at an additional charge (might be unpopular, of course, unless say, the ISP ALSO bundles it in with antivirus software, which they may perhaps be able to acquire at a discount from the original companies in exchange for the bulk purchase and the better market position it would give them out of the partnership).

This may not be what everyone wants, and I understand that too. Botnets are a real problem, and at some point, hopefully we'll come up with a real working solution to them. This MAY be the best thing we have at this time. I hope not, and I don't particularly think it is, but I can't really claim to be an expert enough on the matter to have any final word.

Anyway, just a little food for thought.

Privacy

ISPs should also take steps to protect customer privacy, especially against the media/copyright industry and the government.
Police asks for info about customer? Notify customer and challenge the police in court.
Copyright trolls want content taken down? Fight them in court.

Of course that won't happen since Internet Service is a cartel (a few big corporations own the lines).

Secure routing standards ?

[Lennie]

What secure routing standards ? There are only secure routing practises, there are a few standards in development, starting with "Resource Public Key Infrastructure (RPKI)" but that is still very new and isn't yet broadly available by vendors.

Good Luck With That

[ThatsNotPudding]

We need a general public that understands ...

404 Not Found

Re:Good Luck With That

[causality]

We need a general public that understands ...

404 Not Found

Then you, like me, recognize the problem. Are you, like me, working towards a solution by educating anyone you encounter who wants to understand?

Anyone you can teach can also teach others; anyone they teach can teach others, and so on. It cascades. It grows exponentially.

You can have a much greater impact than you think. You, acting alone, can do that. Imagine what happens when lots of others have the same unwavering determination...

Insider Trading?

[Heretictus]

I wonder if Genachowski owns stock in Kindsight?

Not only ISP's should

[bigbangnet]

I've worked for an ISP for over 4 years and I've been on the Internet and know a lot about it (ie: ccna). Yes ISP's needs to step up to increase their security measures. It's astounding how they let people which are complete strangers go in their network and do whatever they want, when they want without any authentication nor take any measure to protect it's network. Well not completly true they just do whatever they can when it's free and super cheap.

Theres also other security measures which could increase security in their "email" deparment. smtp and pop for example. most isp's today do nothing in that part. anyone can send emails to anyone without any limits...basically they suck there. Nothing is encrypted, authenticated and if it is its not enough for security.

further more, lots of protocol needs a big boost in security as most of them today lack lots of security features which could increase productivity, stability and security. I'm amazed that in 2012 we still have spam, bots, zombie machines today since those same ISP's makes millions.

Buy ISP secured console. Get movies, games free.

No maintenance and a subsidized price. Why pay more for an unlocked computer? /s