Re: Nimda et.al. versus ISP responsibility

[Rich Puhek <rpuhek () etnsystems com>]

We look at the issue two ways. First, we feel that an important part of
our service is notifying the customer of problems with their machine
that they may not have noticed. Second, we need to provide a good level
of service to all of our customers. 

The idea of providing a high level of service to all our customers may
mean that we have to deny service, temporarily or perminently, to a
customer who's actions are detremental to the rest of our customers.
This means that we cut off spammers (so that our legit. customers can
still send email and perticipate in newsgroups), pornographic or
severely objectionable websites (so customer's reputaions are not
influenced by association), and any activities that threaten the
security of our network or our customers information. Don't believe that
a few bad apples can affect others on the same ISP? Ask a few email
administrators what they do with uu.net's dialup space :-)

This view has led us to cancel access for spammers and porn publishers.
It has also led us to inform several customers about infected machines
on their networks (Code Red, Nimda, and Ramen have been the biggest
offenders). In each case of infected machines, we were prepared to drop
the customer's connection if necessary (it never was).

We have a harder time tracking down the smaller (usually dialup)
offenders, given the rate they get infected and cleaned. They cause much
less of a problem though, so we haven't worried about them as much.

I think it is possible for an ISP to take individual action. I don't
think we can afford not to inform our customers of problems and take
action if necessary.

--Rich


Luc Pardon wrote:
>    I'd like the opinion of the list on the attitude of ISP's versus
> worms. It is clear that we're going to see more of this.
>
>   I think we all agree that connecting an unpatched IIS machine to the
> open Internet is acting irresponsibly. Most AUP's already prohibit
> spamming, port scanning etc. (at least on paper). Why not include
> "infection through negligence" as a reason for suspension? Maybe with a
> reasonable grace period the first time.
>
>   Problem is that one ISP can't go it alone. If they pull the plug, they
> may loose the customer to a less responsible competitor.
>
>   Unlike spammers, most worm victims are "offending" out of ignorance.
> Such a provision in the AUP would likely get their attention and maybe
> cause a mind shift towards "Unpatched Is Bad (tm)".
>
>   What do you all think ?
>
>   Luc Pardon
>   Skopos Consulting
>   Belgium


_________________________________________________________
                         
Rich Puhek               
ETN Systems Inc.         
_________________________________________________________

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com