Unflattering comments about ISPs and DDOS

This article in ZDNET UK entitled "WIth ISPs like this, who needs
enemies?"
http://comment.zdnet.co.uk/andrewdonoghue/0,39027004,39175983,00.htm
contains some rather unflattering comments about ISPs who don't help
customers deal with DDOS attacks. The head of security technology
for a major ISP named in the article said:

"Why should ISPs do something? It's very much as if people want
something for nothing. This noise is superfluous and silly."

The thinking is this. There are two operational problems
here, one big and one small. The big one is when your
customer is the target of DDoS. The small one is when
your customers originate the DDoS.

I think the writer is telling us to treat these as two sides of the
same problem. If management buys into this view then it
would make the business case for the operational effort
needed to clean up botnets.

And if enough people clean up the bots on their network,
then a case can be made for depeering (or severely damping)
networks that don't clean up their act.

--Michael Dillon

Agreed.

But few, if any, will "clean up their act". For instance, consider:

  http://news.com.com/2102-1034_3-5218178.html

which is a news story discussing the enormous number of spam-spewing zombies
on Comcast's network and which says (in part):

  "Based on my conversations last week, Comcast's network engineers
  would like to be more aggressive. But the marketing department
  shot down a ban on port 25 because of its circa $58 million price
  tag--so high partially because some subscribers would have to be
  told how to reconfigure their mail programs to point at Comcast's
  servers, and each phone call to the help desk costs $9."

Since Comcast has elected not to pay that hypothetical $58 million
dollar price tag, see if you can guess who is. Those costs (whatever
they are) don't just evaporate into nothingness merely because Comcast
isn't picking up the tab.

Please note that since then, they've begun doing *some* port-25 blocking:

  http://news.com.com/2102-1038_3-5230615.html

But I can't find any evidence that they're doing anything other
than reactively blocking port 25 connections based on some usage
threshold. And of course that's purely symptomatic treatment for the
problem-of-the-moment: it doesn't cure the disease, doesn't un-zombie
the zombies and thus it lets them do anything/everything else they want.

---Rsk

Thats quite ok, if theyre unwilling to filter port 25 on their end, we
are more than happy to filter port 25 on our end. Many have already done
this.

-Dan

> "Based on my conversations last week, Comcast's network engineers
> would like to be more aggressive. But the marketing department
> shot down a ban on port 25 because of its circa $58 million price ...

Thats quite ok, if theyre unwilling to filter port 25 on their end, we
are more than happy to filter port 25 on our end. Many have already done
this.

right, me too, but a surprising number of my friends strangely believe that
their ~1Mbit/sec home dsl connection (which 100millions of less-clued people
have) should be able to originate e-mail the same way their ~1Mbit/sec work
DS-1 line (which only a few million had, and most of those cluefully) did.

therefore, while i reject e-mail from dsl on a wholesale basis, i have to
whitelist certain friends on a retail basis -- which is madness without end.
far better for the cable and dsl providers to kill off outbound smtp by
default and then re-enable it when a customer waves the right clue-flag.

[off-topic: lots of you/us have proposed global whitelists to solve this kind
of thing, but nobody has yet figured out how a scalable community can have a
single definition of "that which is good"... so don't start that thread again
just because it seems desireable (which it is) and technically easy (also).]

Since Comcast allows spamming (doesn't do anything to stop it) people
should start spamming the phones at the help desk and let them know
about the spam on their network. Although - two wrongs don't make a
right.

Best Wishes,

Blake L. Smith
XtremeBandwidth.com, Inc.
949-330-6400 Office
949-606-7100 Fax
www.XtremeBandwidth.com

Also, that's been tried before (first instance I can remember
  being AGIS, circa 1996-1997), and has never had any appreciable
  direct effect. Other tactics still work better.