In message <CAL9jLaZNBP9GWFzHnB1AGG8MRnK3dH=qeQb_KeigKc198zDaJw@mail.gmail.com>, Christopher Morrow writes:
On Mon, Sep 26, 2016 at 7:49 PM, Mark Andrews <marka@isc.org> wrote:
Giving them real time access to the anomalous traffic log feed for their residence would also help. They or the specialist they bring in will be able to use that to trace back the problem.
wouldn't this work better as a standard bit of CPE software capability?
While this would be useful, it is not sufficient. This may or may not match what the ISP is detecting and basing its reports to the customer on. Such a feed could also include MTA logs for email nominally from the customer. etc. If we want customers to clean up networks, use of the ISP's services, they need to be able to see what is going wrong as far as the ISP is concerned. You guys complain when you don't get good data to chase down abuse reports. Your customers need the same data. The more you can automate this the cheaper it is to provide. Additional the more you inform your customers, the better they will feel about you as a ISP, and the less abuse reports you will get from external sources as a compromised box can do anything. It's in your long term interests to get that compromised box fixed / removed. Yes, there will be setup / development costs.
wouldn't something as simple as netflow/sflow/ipfix synthesized on the CPE and kept for ~30mins (just guessing) in a circular buffer be 'good enough' to present a pretty clear UI to the user?
ip/mac/vendor sending (webtraffic|email|probes) to destination-name [checkbox] <repeat>
select those youd' like to block [clickhere]
This really doesn't seem hard, to present in a fairly straight forward manner... sure 'all cpe' (or 'a bunch of cpe') have to adopt something similar to this approach... but on the other hand: "At least my ISP isn't snooping on all my traffic"
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org