Braodband and ISP Security

[tonybradley]

As more home users sign up for broadband access and connect their computers to the Internet 24/7 they present a prime target for hackers. Home users are generally not security savvy and are lucky if they use Windows Update or update their AV software once a month.

Given unpatched, unprotected, relatively weak security and a high-speed connection you have a volatile mix for propagating viruses and worms of all types.

While running an Apache web server on a Redhat Linux box and logging my traffic I noted somewhere in the neighborhood of 40,000 to 50,000 hits a week from Nimda-infected computers that were on my ISP's subnet. I could go through, pick out the unique IP addresses and notify the ISP and hope they would do something, but since it had no affect on me (being that it was a Linux machine) I just ignored it.

My question is this- do you feel that ISP's should be somehow monitoring their networks for activity like that and shut down or notify the users? I realize they can't inspect every packet due to privacy and performance issues. But, couldn't they have an IDS somewhere or a honeypot of some sort just to pick up and deal with some of this traffic so it isn't out there waiting for the next unpatched / unprotected machine to infect and continue the cycle?

[ccKid]

I agree that ISP's should have a system of some sort to monitor traffic on their networks to possibly help identify compromised customer systems. I am not sure of the possibility of doing this however and also I think the costs of implementing such a system might be undesirable for the ISP's in today's economic climate.

Just my opinion.



ccKid

[Syini666]

Well to an extent most ISPs do basic checks of packets, mainly to prevent packet spoofing and the like. IMHO ISPs should be keeping a general eye on whats going on, at least as far as things like Code Red, Nimnda and the like are concerned. I would not be suprised to see ISPs become more involved in security as the need for it rises

[PuReExcTacy]

Most ISP's are not going to capture traffic, unless it's to analyze the performance of the network, because it would be an invasion of privacy to start capturing the details of user's online sessions. It would be nice thou if they temporarily disconnected other users until their machines didn't present a threat to others.


PuRe

[yuna_admirer]

Most ISP will not capture trasitted traffic . The top priority of the ISP , which provides Interconnection to customer is to ensure that packet are transmit as fast as possible with the minimal culcumative delay. Along with that , keeping the Route table as small as possible but accurately is another important thing to do.

Of course the ISP router/switch must examine the packet, but just to route the packets into the appropriate next hop until the packet reach its destination. Keeping track of the origin of the packets is out of each ISP scope, require a HUGE database / route table of the ISP , thus reducing significantly the performance of the transit network.

Of course , security must be taken into account. Log , Intrusion detection system , firewall are implemented , in the manner of prividing flexible security but also keep the delay minimal.

Security and performance must be balanced.

I send a packet from Viet Nam , it will transmit over 30 hops to reach a web server in SanJose. Will it be recorded for 30 hops ?????

[tonybradley]

As I said in my original post

I realize they can't inspect every packet due to privacy and performance issues

But, I wasn't inspecting every packet or impacting overall network performance. I was simply logging hits to my own server. Couldn't an ISP just as easily set up an HIDS or a honeypot of some sort that won't inspect ALL traffic, but will at least inspect the traffic that hits that specific host?

Using my own example again, if the ISP would have set up my same Linux box and checked the logs they could have identified 10 to 20 IP addresses a week from their own subscriber subnet that were infected with and actively broadcasting Nimda traffic. They could have checked once a week and contacted the individuals affected to try and protect the other 1 million customers on their network.

I also think they should do server-level virus scanning for the ISP-offered email. Not that they should try to inspect all SMTP traffic or protect you from viruses when you access Hotmail or anything. But, if I subscribe to an ISP and use the ISP's email I think its reasonable to have an expectation that the ISP wouldn't forward emails to me with known viruses or worms.

Just my $.02

[tonybradley]

I agree that if an ISP were to try and implement an NIDS they would create a bottleneck, slow down the overall speed of passing the packets through and possibly be invading privacy by inspecting packets not intended for them.

But my example involves setting up a host on their own network just as if they were a customer like me. Using a HIDS, or something similar, on a single host they would be able to detect malicious traffic without impacting overall network performance. Further, they would not be violating anyone's privacy because they would only be inspecting packets that were directed at their HIDS host in the first place.

I don't believe this to be a comprehensive solution by any stretch. But, I can take any old $200 computer and install Linux for free. I can set up an HIDS or some sort of logging for free. The only cost really would be whatever time it took for them to inspect the logs, determine the unique IP addresses and contact the owners to remediate the problem or shut them down until they do. They certainly won't catch all malicious traffic, but if they can eliminate what they can from their own subnets it would be an improvement.

As far as cost benefits- that is a little tough. Would it save some bandwidth- yes. But, I don't know if it would stop enough traffic to significantly impact bandwidth. I would think that customer satisfaction would improve if customers could feel relatively safe that they won't be bombarded by malicious traffic from their own ISP. Eventually companies, including ISP's, may very well be held liable for not taking reasonable measures to stop the propagation of cyber threats so that would be another benefit.

[Networker]

I don't think NIDS are realistics security solution for ISP, mainly because of the huge amount of data ISP network access points face to, and also because that will mean they will have to take conter measure all the time, and that will be very costly compare to the customer service it will serve (many people are even not aware of internet danger).

But what I'm sure of is ISP could implement easily and for low cost basic firewalls for 3 mains goals:
1- Anti-spoofing: drop any IP source address forged packets
2- After DDoS detection from the customer (mainly enterprises) react more efficently that with a simple CISCO ACL tunning.
3- Attacker tracking.

[Syini666]

Networker > true, a NIDS could be cumbersome if it was set to check everthing going on but it probably would not hurt to have it configured to monitor low traffic but critical areas like cutstomer information databases, billing systems, and other areas of interest to would-be attackers

[ZomBieMann77]

my question is why should the isp worry about it if the user wants to screw up his system by not educating himself to the potential threats posed by a 24/7 connection.