In the 2+ years I have been working for an ISP I'm not aware of one customer that has gone over to one of our competitors because we identified and cut them off for an abuse issue. Most of them have been very grateful that we identified a problem and are earnest in resolving it. And for those who don't care? In a slight variation on an oft-quoted statement in this listserv, "I want my competitors to have them." Frank -----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Kradorex Xeron Sent: Thursday, June 14, 2007 3:35 PM To: nanog@nanog.org Subject: Re: FBI tells the public to call their ISP for help On Thursday 14 June 2007 10:27, michael.dillon@bt.com wrote:
Since many Microsoft patches are only legally available via the Internet, and an ISP can not predict which servers Microsoft will use to distribute Microsoft patches, ISPs must enable essentially full Internet access which includes access for most worms.
Has anybody tried a firewalling solution in which unpatched PCs are only able to access a special ISP-operated forwarding nameserver which is configured to only reply with A records for a list of known Microsoft update sites? And then have this specially patched nameserver also trigger the firewall to open up access to the addresses that it returns in A records?
According to Microsoft, their list of "trusted sites" for MS Update is *.update.microsoft.com and download.windowsupdate.com. Even if they have some sort of CDN (Content Delivery Network) with varying IP addresses based on topology or load, this is still predictable enough for a software solution to provide a temporary walled garden.
You don't need to make copies of their patch files. You don't need MS to provide an out-of-band list of safe IP addresses. As long as you are able to divert a subscriber's traffic through a special firewalled garden, an ISP can implement this with no special support from MS. Wrap this up with a GUI for your support-desk people to enable/disable the traffic diversion and you have a low-cost solution. You can even leverage the same technology to deal with botnet infestations although you would probably want a separate firewalled garden that allows access to a wider range of sites known to be safe, i.e. Google, Yahoo, ISP's own pages, etc.
--Michael Dillon
There's a major problem with this - End-users won't take nicely to being restricted from going to specific websites, and will more than likely go to another ISP rather than to patch their computer as they see no benefit of patching themselves. We see the benefit of the patches, they don't nessasarily. Not to single anyone out but there will more than likely always be a careless (and/or clueless) ISP who doesn't care if over half their network is wormed, the customers from the ISPs who are cracking down on infected machines will simply go over to the ISP who doesn't care as there would be "less hassle". What needs to be done is ALL ISPs accross the board need to clean up their networks, thus cornering the lazy end-users into cleaning up their machines. To be honest: There's too few ISPs that would want to take up the responsibility of filtering worm'd customers, and as well, the instant an ISP starts filtering, they may even set themselves up for a lawsuit of the customer saying "I paid for the service, why aren't I getting it?!" And reguarding Microsoft and their patching licences: Those patches may be their precious "legal property" but it's their hording of legal rights that's damaging hundreds of thousands of computers. Microsoft is currently abusing their market share standings and giving insufficient patch distribution, (i.e. offline distibution) Therefore Microsoft should be held accountable for every computer that becomes infected with worms due to insufficient patching. To me, it sounds like Microsoft wants the power, but doesn't want the responsibility that comes with the power of great market share. It is time Microsoft be forced to take that responsibility.