After all these years, I'm still surprised a consortium of ISP's haven't figured out a way to do something a-la Packet Fence for their clients where - whenever an infected machine is detected after logging in, that machine is thrown into say a VLAN with instructions on how to clean their machines before they're allowed to go further and stay online. If you ask me, traffic providers (NSP's/NAP's) and ISP's don't mind this garbage coming out of their networks, if they did they'd actually ban together and do something about it. Its obvious those charging for traffic will say little. Minimized traffic means minimized revenue. All I see is "No we despise that kind of traffic" along with a shrug and nothing being done about it. I'm sure if some legislative body somewhere started levying fines against providers, the net would be a cleaner place. For comments on 100 million infected machines... Doubtable. Anyone can play fuzzy math games, heck I just strangely figured out that MS is costing me an arm and a leg!
http://www.merit.edu/mail.archives/nanog/msg04755.html
All very nice. This sort of things has been detailed a few dozen times by
various people. Doing this is not hard from a technical point of view
(which isn't to say it won't cost a lot of money to impliment).
The hard bit is creating a business case to show how spending the money to
impliment it and then wearing the cost of pissed off customers results in
a net gain to the bottom line.
If someone could actually do a survey to show how much each bot infested
customer is costing their ISP then people might be able to do something.
Right now AFAIK an extra 10,000 botted customers costs the average ISP no
more than a dozen heavy p2p users.
On the other hand Port 25 filtering probably is something that has low
enough negatives vs the positives for people to actually do.
>
> You misunderstand. The problem of securing machines *IS* solved. It is
> possible. It is regularly done with servers connected to the Internet.
> There is no *COMPUTING* problem or technical problem.
> The problem of the 100 million machines is a social or business problem.
> We know how they can be secured, but the solution is not being
> implemented.
>
> --Michael Dillon
>After all these years, I'm still surprised a consortium of ISP's haven't
figured out a way to do something a-la Packet Fence for their clients
A walled garden? Surprisingly, despite little faith on NANOG, quite a few
ISPs are now employing these technologies and saving money.
Gadi.
J. Oquendo wrote:
After all these years, I'm still surprised a consortium of ISP's haven't figured out a way to do something a-la Packet Fence for their clients where - whenever an infected machine is detected after logging in, that machine is thrown into say a VLAN with instructions on how to clean their machines before they're allowed to go further and stay online.
This has been commercially available for quite some time so it would be only up to the providers to implement it.
Pete
Public ISPs have been testing these types of systems for over 5 years. What sorts of differences can you think of that would explain why public
ISPs have found them not very effective?
Public ISPs have been using walled gardens for a long time for user registration and collecting credit card information. So they know how to
implement walled gardens. But what happens when public ISPs use it for infected machines?
Many already do, successfully.
When I say many I actually mean I know of 6. 3 of them huge, 3 of them
relatively small.
After all these years, I'm still surprised a consortium of ISP's haven't figured out a way to do something a-la Packet Fence for their clients where - whenever an infected machine is detected after logging in, that machine is thrown into say a VLAN with instructions on how to clean their machines before they're allowed to go further and stay online.
"Umm, Mam, I'm sorry, but before you make that emergency
call we'll need to go to www.update.nnn and update the OS
on your machine, seems you've got some malware there at
home somewhere and you're going to need to take care of
it for me, OK?"
"Sir, before you can continue watching the World Cup or Super
Bowl you'll need to remove the spyware from your son's PC."
If you ask me, traffic providers (NSP's/NAP's) and ISP's don't mind this garbage coming out of their networks, if they did they'd actually ban together and do something about it.
Its obvious those charging for traffic will say little. Minimized traffic means minimized revenue.
IIRC, most North America providers have fixed-rate broadband subscriber
plans.
All I see is "No we despise that kind of traffic" along with a shrug and nothing being done about it. I'm sure if some legislative body somewhere started levying fines against providers, the net would be a cleaner place. For comments on 100 million infected machines... Doubtable. Anyone can play fuzzy math games, heck I just strangely figured out that MS is costing me an arm and a leg!
While I understand your frustration, lest we not forget, providers are in
the business of making money, and solutions of this type today only add
to churn, additional operational expense and liability. It's not quite so
black and white as you make it, unfortunately.
With that, as Sean points out, providers are trying to address the issues
in an business-savvy manner and some do seem to have reasonable (IMO)
solutions underway. But be careful what you ask for, some of these
solutions you're mandating might very well resemble SiteFinder-style
schema's (or far worse) in order to justify the investment by the providers.
-danny
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Sean Donelan wrote:
After all these years, I'm still surprised a consortium of ISP's
haven't figured out a way to do something a-la Packet Fence for their
clients where - whenever an infected machine is detected after
logging in, that machine is thrown into say a VLAN with instructions
on how to clean their machines before they're allowed to go further
and stay online.This has been commercially available for quite some time so it would
be only up to the providers to implement it.Public ISPs have been testing these types of systems for over 5 years.
What sorts of differences can you think of that would explain why public
ISPs have found them not very effective?Public ISPs have been using walled gardens for a long time for user
registration and collecting credit card information. So they know how to
implement walled gardens. But what happens when public ISPs use it for
infected machines?
- ---------------------------------
I believe aol (maybe Vijay) once talked about the very same sink hole
technique they use within they networks to fight bad traffic.
Not sure which nanog? Anyone?
regards,
/virendra
Interesting use of the word "many." Many people use Multics.
I know of "many" more that have tested it and returned it to various vendors. There are several tough problems people are still trying
to solve.
>> Public ISPs have been testing these types of systems for over 5 years.
>> What sorts of differences can you think of that would explain why public
>> ISPs have found them not very effective?
>>
>> Public ISPs have been using walled gardens for a long time for user
>> registration and collecting credit card information. So they know how to
>> implement walled gardens. But what happens when public ISPs use it for
>> infected machines?
>>
>
> Many already do, successfully.
>
> When I say many I actually mean I know of 6. 3 of them huge, 3 of them
> relatively small.Interesting use of the word "many." Many people use Multics.
:))
I know of "many" more that have tested it and returned it to various
vendors. There are several tough problems people are still trying
to solve.
Yes, but that is because the successful ISPs currently often implement
their own if they have the resources and R&D power. The really big ones
have it automated, the small ones have it limited to be "activated by an
abuse desk person".
Gadi.
And I also know "many" ISPs that developed home-grown systems and had to
abandoned them due to various problems.
Until you understand the differences and why various attempts haven't
worked, you are doomed to repeat the same mistakes; and unlikely to
be successfull beyond a few limited environments.
Is there a significant difference between the "many" ISPs implementing
walled gardens and other ISPs as far as infection rates?
> Yes, but that is because the successful ISPs currently often implement
> their own if they have the resources and R&D power. The really big ones
> have it automated, the small ones have it limited to be "activated by an
> abuse desk person".And I also know "many" ISPs that developed home-grown systems and had to
abandoned them due to various problems.Until you understand the differences and why various attempts haven't
worked, you are doomed to repeat the same mistakes; and unlikely to
be successfull beyond a few limited environments.
Agreed. Do you have any of these lessons you can share?
Is there a significant difference between the "many" ISPs implementing
walled gardens and other ISPs as far as infection rates?
Yes.
Then please share, many people would love to have that data.
Same goes for you with the sentence you removed above. 
I am working on this, and hopefully will have something in a few months
which can be measurable rather than jokes about "many".
Is there a significant difference between the "many" ISPs implementing
walled gardens and other ISPs as far as infection rates?Yes.
Then please share, many people would love to have that data.
Same goes for you with the sentence you removed above.
I have, many times over the last 5 years. Doing research is an amazing thing.
I am working on this, and hopefully will have something in a few months
which can be measurable rather than jokes about "many".
Many people will be waiting for your data.
One might presuppose infection rates are exactly the same, at
least until that ISPs user base upgrades, patches, auto-updates,
AVs, anti-spywares, whatever.. or finds a new ISP. I wonder how
long it'd take for such a policy institution to impact an entire 100%
user base?
I'd likewise be quite keen on seeing empirical evidence on trends
in cleanliness and/or churn from any of those ISPs in question, the
3 "huge" ones in particular - any of those folks *NOG-types?
Likely my last message on this tread, as I foresee the "OT
curmudgeon" mounting up (hint to them: "delete").
-danny