Hey there, so, you want to be a good citizen and stewart of the inet. DDoS and security after security attack happens, it won't ever stop. You try to do the best you can to effectively respond to it. You try to inform you customers. You try to educate them. Yet, you realize that you're not doing enough... What do the rest of you SPs actually do to combat this threat? How do you keep the hype, fear, panic and dispair of your management team (all the way to the CEO) in check? And that of your customers? Some of it is sometimes warranted.. but, got any ideas for crowd control? In our case, we have several hundred thousands of DSL customers today, and the million plus subscriber mark is on the engineering horizon. The problem of security threats & resulting incidents is going to get considerably worse before it gets better. And that's for at least two reasons.. the ramp up of broadband and presumably the declining sophistication of the subscriber population as a result of the greater market penetration. Sure, you can try to teach your subscribers to protect themselves. But this is really not the answer. How many unsophisticated subscribers are going to be able to do this in an effective and timely manner? What do you do in response? How do you effectively scale the massive support effort need for collaborative marketing of personal firewalls and the potential for false positives and negatives? Any ideas on the legal exposure of security services? Like, in the current case, several providers have resorted to blocking port 80 to their non-DIA subscriber base. Is this really scalable? Obviously not for every threat. You can't effectively keep this up with the myriad of threats. Or can you? Is it realistic to be able to maintain your own NIDS patterns with the help of your own staff and public resources? Are options like security service providers the only workable option? Do they work at all? How effective are they? IDS will obviously only work against known threats.. how do you create an effective early warning system? How do you provide effective vaccination against an unknown threat? How do you respond to potentially massive infections of your subscriber base? Potential zombie manifestations in the 100k's are easily possible. They really do make Code Red's impact to date seem more like a case of a mild flu than any serious infection. So, you do have a responsibility to your customers to protect them. To what extent is this realistic, though? Doesn't this also bear the risk of false security or even potential legal liabilities? How do you manage this risk? You do have also a responsibility to "protect" the rest of the world from zombie gatherings among your subscribers. Same questions apply. So, I think it's clear that something needs to be done, but coming up with a definitive plan of attack is everything but trivial. This obviously doesn't just apply to DSL, it applies to Cable and whatever other broadband networks are out there or will evolve... We want to be a good stewart and citizen of the inet, yet, these questions are tough to answer in any satisfactory way it seems. (Yes, I've taken some of these questions to various security forums from time to time, but none of them seem to represent a significant number of SPs; suggestions are very welcome). I'm sure this isn't a comprehensive list.. but, perhaps, it'll get a useful conversation going. Hey, I can hope, right? Cheers, Chris -- Christian Kuhtz <ck@arch.bellsouth.net> -wk, <ck@gnu.org> -hm Sr. Architect, Engineering & Architecture, BellSouth.net, Atlanta, GA, U.S. "I speak for myself only."