Please bear in mind that much of this might be my take on viability,
practicality, or past activity related to some of these suggestions.
Moreover, this may not represent even my own opinions on the appropriate
course of action. Inline...
On Sun, Oct 26, 2003 at 06:01:09PM -0700, kenw@kmsi.net said something to the effect of:
..snip snip..>
1) Summarily fencing/sandboxing/disconnecting clients sending high volumes
of spam, virii, etc. You might politely contact your commercial/static
clients first, but anyone connecting a "bare" PC on a broadband circuit is
too stupid to deserve coddling.
Unfortunately, you have described the standard home user. Would love
to think that most have trusty firewalls guarding meticulously-patched
(non-Windows) boxen, but...
I expect our customers to watch their own backs, heed our admonitions, and
go so far to hope that they find the appropriate clues to be responsible,
but I can't imagine someone like Cox or CW or AOL or somesuch other alienating
a prevailing chunk of their customer base with one nasty-gram followed by
clobbering a switch port.
The great majority of your clients would thank you profusely.
I beg to differ on the last line. The happy ones would say nothing. And
we may not be able to hear them if they did over the yowling from the
unhappy ones who do not understand why we would do such a thing.
I may be wrong, but it seems to me that most of us (service providers, that
is) have some degree of a more involved customer notification process
that must be followed before we can begin swinging the ax like that.
Contractual obligation may often preclude a provider's harsh response to
abusive or patently irresponsible network activity more often than failure to
notice or give a flying fsck that it has transpired.
2) Notwithstanding the above, would it really be so hard to trap network
packets bearing clear signatures of the "plague of the month"?
<not_sarcasm>
Trap and do what with?
</not_sarcasm>
Sure, it
would create an extra load on routers or require special filtering
hardware, but wouldn't it be worth it? Again, no need to be comprehensive;
just blast the ones that are easy pickings.
Any other ISP that toyed with/deployed the filtering NetBIOS and/or 92-byte
ICMP packets will remember how grossly unpopular we became for doing so.
Accusations by customers and downstream engineers alike branded us fascist
iconoclasts with no consideration for the aphoristic hands that feed us, and
complete disregard for the needs of those who pay us for the evil service we
restrict providing. Search the convocations (circa 08/2003) on this list even
to get a feel for the dissent among the ranks regarding the feasibility and
wired morality of such an action.
Another trickier problem is fueled by the nature of the sploit-du-jour. If
some lamer opts to poke surreptitious holes or generate static by way of
a random, obscure, generally ignored port, the choice to filter is not
as difficult a one, beyond *poof* conjuring up resources to reign in
the resulting management nightmare. However, whether it be because of the
inherently pregnable code or a malware creator's awareness of the
impracticality (read: near impossibility) of recon and restricition of
certain types of traffic, many of these evasive maneuvers can ride the
clown car across critical service ports. Forget crippling a network by
filtering them, which is frequently the case; we wind up in some seriously
hot water for violating customer contracts, which forbid selective inhibition
of legit traffic along with the anomolous. It becomes a dichotomy of
casualties of war vs. curing the disease by killing the patient.
(fwiw...i break more than my fair share of eggs...)
To balance and consider both factions, providers are being tasked with
stepping up to the plate and scrutinizing large streams of traffic to
discern between the good and the bad based on other criteria. So now we're
faced with other issues that require extremely intuitive and invasive packet
inspection. Some of this is vaporware and is still skating around conference
tables of pitch men all over the place, others are gaining credibility and
becoming technologies many providers are striving toward actualizing.
Intrusion and extrusion detection are fabulous...nay...will set you free...and
ultimately necessary things, but some of what I'm seeing suggested here borders
on impossible to put to work without absurd overhead or flirting with serious
invasion of privacy.
For the record, I am by no means disagreeing with the logic of the suggestion,
but am merely playing experienced devil's advocate among those who may still
be sporting the collective bruise from past actions of this sort.
3) There was a thread a little while ago that talked about a way to cut
down spam by simply restricting who you would accept SMTP traffic from.
Unfortunately, I don't recall the details, but at the time it struck me as
eminently sensible, and just required cooperation between ISPs to implement
effectively.
There have also been numerous threads from a little while ago flaming AOL
and the like for deploying whitelist-type or no-auth-no-pass countermeasures
for spam. Again, I don't know what the right answer here is, but I can see
that, like every other coin, there are two diametrically opposed sides and
teams going to bat over this issue.
Perhaps the fault, dear Brutus, in this particular case continues to lie more
inarguably and blatantly than ever with the end users and in smtp itself,
which may honestly be dead. Clearly the protocol was not meant to withstand
the rigors and abuse (no pun intended) to which it is nowadays being
subjected. Its design over 20 years ago was intended to service a kinder,
gentler, more honest, and less devious Internet. Perhaps, if we're looking
to do the responsible thing and undo spam damage (and other similar ilks), we
should belly up to the bar and work to bolster the protocols and technologies. That may be all the more hand we as technologists can have in the matter.
One problem for the average ISP would be the monitoring and updating of
plague control infrastructure. It would probably be a lot easier with a
bit of cooperation and sharing -- either that, or someone could get rich
offering services to ISPs for a fee.
Average ISP, as in, what size? Tier 1? 2? 3? Managed service provider?
By the way, can anybody explain to me a legitimate use for port 135/137
traffic across the Internet, like it's somebody's private LAN? Seems to me
anybody who still thinks that's legitimate is living in the past.
That would be Microsoft. NetBIOS has no business on the Internet. End
of story.
So, the big question: why don't ISPs do more of this? Are they afraid of
client reaction? Doesn't wash, for me: most clients would be highly
grateful, and all it really takes for the remainder is fair warning. Cost?
Fair warning gives spammers time to migrate addresses and infected users
time to infect countless others. And the customers will not be unusually
happy; they have a right to expect exemplary service, as they are promised
and pay for it. I don't imagine that most of our subscribers are phoning
in to confirm and praise receipt of five-9s.
Again, you can judge for yourselves how low the fruit you choose to pick;
the biggest gains have the best ROI.
One last time...I agree with you that ISPs need to keep an eye on their
brood. I'm simply offering gentle explanations of why, perhaps, providers
haven't been able to more neatly and elegantly (and swiftly) mitigate the
burdens you note with the suggestions you raise. With that, regarding your
last point...
Be careful what you wish for. Let's do it! But...this will take everyone's
participation to work. I can see it now...sleazier ISPs will sell 135-139
access wide open on the black market by way of some crazy out-of-the-way
transit hole... 
Happy clients, liberated bandwidth, faster servers -- what's to loose?
Show me the first and I'll be much quicker to follow. I'd settle for the tooth
fairy sometimes, as I'm not sure those happy clients really exist...
Best of luck to you. Let me know if you find the answer? I'll put cycles
behind a worthy cause anyday...
ymmv,
--ra