Why Don't ISP's Do More to Protect Customers?

Barometer

Limp Gawd
Joined
Mar 25, 2012
Messages
155
There is an almost infinite number of nefarious players on the Internet, all seeking similar targets, your information, your identity, your money or something else illegal / criminal.

ISP's must know this. To assume they're just big, lumbering idiots who just supply a pipeline and have no clue what's going across those pipelines I would think is a silly notion.

They know what ISP's help facilitate the bulk of this nonsense, yet they are not blocked.
Packet sniffers could easily tell whos sending malicious content.

No, we don't want Government more involved, but ISP's aren't government. Is blocking KNOWN bad Internet players suppressing freedom and free speech?

Granted, I don't really know how ISP's work and what they can and cannot do so it's possible I may be missing the boat....but at least I asked and now someone can say why.
 
They aren't held accountable. You've essentially just undone your own request. The only way to hold them accountable is in the court of law, by the government. That's the fallacy in your request.
Or, you hire a 3rd party to constantly monitor/audit then. And, you pay said 3rd party enormous amounts of money to hold the ISPs to the standards set. And, the ISPs will spend billions to fight that from happening. They have already bought out the government. You don't think they could prevent your little 3rd party from getting involved?
Simply demanding they police themselves doesn't work. As we've seen in the current situation with the current FCC.
There is no technical answer to this question that doesn't involve politics at the highest level.
 
The guys who make the highway building equipment and build the highways don't care and don't monitor whether the cars and trucks that drive on highway have guns in the trunk.

They can put up regulation signs(No Guns Allowed!) but enforcement is up to another department altogether.

It is sometimes better to be good at one thing instead of trying to spread yourself too thin with too many tasks.
 
ISP = motivated by money
Goverment = motivated by serving the people... well in a perfect world.

The issues is the US government is NOT interested in servings it people. people are ressources for the gorvenment.
The servitude direction is reveresed of common sense in the states..
 
Leaving politics aside... On the surface, I honestly don't want the ISP doing anything other than serving me up data.

Then again... I get really mad at all the spam calls I get, do I blame my phone provider for allowing them through? Honestly, I do a bit... not so much my provider for letting them through, but ~their~ provider for allowing them to get placed in the first place. I don't see that the phone company has any reason to really eliminate them, when they are getting paid to allow them to go through.

So I guess I place a bit of distinction based on the origin - if I request it, I want it to come through unmolested. If it's being pushed or thrown at me, I don't necessarily want it.

So, I suppose in that regard, I would expect an ISP to provide some level of firewalling. But I can't really blame them if I get attacked, and my level of trust in a third party to protect me is very low, and I do believe in self-protection in that regard.

Good question. I can't really answer it without going down a rabbit hole.
 
Because my screen didn't come with a firewall.
 
Every normal ISP would block certain traffic and the good thing is most of the time the interest of the ISP and customer match - the ISP doesn't want unnecessary traffic across its wires or wireless, neither do customers. There is traffic that is just plain parasite and unwanted and ISPs at least here are aware and adequate.
Someone mentioned about phone companies and spam calls and this is a good example. Most of them could have implemented sort of "spam list" maintained at their level and the customer could have access to modify it without relying on their own phone's block lists. I guess this always has two "sides" and it has its reasoning to exists or not. I'm not a phone company.
 
There is an almost infinite number of nefarious players on the Internet, all seeking similar targets, your information, your identity, your money or something else illegal / criminal.

ISP's must know this. To assume they're just big, lumbering idiots who just supply a pipeline and have no clue what's going across those pipelines I would think is a silly notion.

They know what ISP's help facilitate the bulk of this nonsense, yet they are not blocked.
Packet sniffers could easily tell whos sending malicious content.

No, we don't want Government more involved, but ISP's aren't government. Is blocking KNOWN bad Internet players suppressing freedom and free speech?

Granted, I don't really know how ISP's work and what they can and cannot do so it's possible I may be missing the boat....but at least I asked and now someone can say why.

Trust me, you don't want these non-competative ultra corporations responsible for what traffic should and shouldn't be blocked. Who's to say what a 'known bad player' is. Who's responsible for auditing what traffic they are blocking and why, so they don't start 'accidentally' blocking competing services. "Ooops, sorry for blocking netflix, our automated scanner was showing malicious traffic from that IP". How do you verify that's true, and how do you resolve a false positive like that?

This is the exact kind of thing that net neutrality is supposed to protect. ISPs are dumb providers. If I make a request they ignorantly handle the data. Anything outside of that is going to head right down that slippery slope you're afraid of with 'government' regulating it. Everything about this suggestion is bad and WILL ABSOLUTELY be abused by the ISPs. Oh and if you don't like what your ISP is doing, tough shit since they are the only provider in your area.......


Every normal ISP would block certain traffic and the good thing is most of the time the interest of the ISP and customer match - the ISP doesn't want unnecessary traffic across its wires or wireless, neither do customers. There is traffic that is just plain parasite and unwanted and ISPs at least here are aware and adequate.
Someone mentioned about phone companies and spam calls and this is a good example. Most of them could have implemented sort of "spam list" maintained at their level and the customer could have access to modify it without relying on their own phone's block lists. I guess this always has two "sides" and it has its reasoning to exists or not. I'm not a phone company.


Spam calls a different issue. They need to ad some kind of anti-spoofing/verification as step 1. If they can't flag or determine the call is not coming from the number it says it is, then they will be blocking legitimate calls. Once they add that verification, we can just take care of the filtering on the client (phone) side much more accurately. We already have this kind of functionality in the web with DNS and just how network traffic itself works.
 
If we had actual competition among ISP's something like this might happen. It would be a differentiating feature they could use to draw in customers.

As it stands though, most Americans have one or fewer choices for decent internet service where they live.

When you don't have competition there is no motivation for them to do anything for the customer. They just have to maintain the bare minimum for people not to go without.

That said, even if there were competition, what do you think most people would choose? The ISP that promises more convenient installation in your house, or the ISP that offers more security features?

Judging by how many people are content running on unpatched computers and phones, internet security simply does not sell. People will choose anything (convenience, lower cost, etc.) before they choose security unfortunately.

This is why we can't have nice things.
 
Blocking malicious traffic is hard enough when you know what your traffic should look like. What may be malicious traffic to you may not be for me. I don't want your filters applied to my traffic and you can be certain you don't want mine applied to yours. Now exponentiate that by a 1000 and you start getting the picture. Now let's talk personal responsibility and adulthood. Grow up! Solve your own problems and stop trying to shift the blame and responsibility to others like a child. Your type disgusts me.
 
Last edited:
Keep ISPs out of censorship. If some service quits working, I don't want to have to contact ISP tech support each time and wade through the various tiers of support trying to get an answer as to if they are blocking.

You can always buy a firewall appliance that supports 3rd party subscription services to block unwanted traffic at your network perimeter. At least then if something stops working, you can check local logs for blocked traffic.
 
Keep ISPs out of censorship. If some service quits working, I don't want to have to contact ISP tech support each time and wade through the various tiers of support trying to get an answer as to if they are blocking.
Had a "managed" service through AT&T that was just this, and it was miserable. Of course any interaction with AT&T is miserable, but this was over the top. Ports would randomly stop working, and it would necessitate a call to support. The first tier support crew...I'm not sure what language that was, but it certainly wasn't english. The second tier was little better. By the third tier I might get someone who knew what a port was.

All in all, everytime they shuttered a port because of 'suspicious traffic' ( like my vpn traffic for instance. Work VPN too, not "linux ISO" vpn ), it would take days to finally get it resolved. I got rid of them as quickly as I could and resolved to never use AT&T again, nor have a "managed" connection.
 
Had a "managed" service through AT&T that was just this, and it was miserable. Of course any interaction with AT&T is miserable, but this was over the top. Ports would randomly stop working, and it would necessitate a call to support. The first tier support crew...I'm not sure what language that was, but it certainly wasn't english. The second tier was little better. By the third tier I might get someone who knew what a port was.

All in all, everytime they shuttered a port because of 'suspicious traffic' ( like my vpn traffic for instance. Work VPN too, not "linux ISO" vpn ), it would take days to finally get it resolved. I got rid of them as quickly as I could and resolved to never use AT&T again, nor have a "managed" connection.

That's a good point.

I can see something like this being a nice to have if it were actually competent, but the level of competency at ISP's is usually not particularly high.

Verizon FiOS is a little annoying because they require you to manually have your DHCP lease reset every time your replace your router. Since I roll my own, and like tinkering and upgrading, I do this a couple of times a year on average (though my current pfSense build has been in use for longer, and probably isnt going anywhere nay time soon)

I still remember the one time I actually got a competent tech support representative on the first try. She was kind, knew what she was doing, and was surprised when I asked for the DHCP lease to be reset, because she said she had never had a customer use the correct terminology before.

With her, I got my issue solved in under 5 minutes. Other times I've called it's easily taken 5-10 times longer. I wish all tech support workers were as competent as she was.
 
ISP's transfer bits from place to place. I don't expect or trust them to stop potential nefarious entities online. At some point, they'd have the power to filter legitimate traffic that they don't agree with (porn, "hate" sites, etc.). Even if they did, there would need to be a standard rule list that all ISP's go off of, otherwise it'd be a mess from one ISP to another. An ISP's job is just to transfer information regardless of what it is. Netflix, porn, bomb making tutorials, My Little Pony NSFW images, [H]ardForum, email, whatever.

I think for the end user, they can run a firewall with pre-defined rules in place to block known baddies.

I don't think it should be done. But, if it were, it'd be a hell of a nightmare to implement on a large scale and maintain it.
 
ISP's transfer bits from place to place. I don't expect or trust them to stop potential nefarious entities online. At some point, they'd have the power to filter legitimate traffic that they don't agree with (porn, "hate" sites, etc.). Even if they did, there would need to be a standard rule list that all ISP's go off of, otherwise it'd be a mess from one ISP to another. An ISP's job is just to transfer information regardless of what it is. Netflix, porn, bomb making tutorials, My Little Pony NSFW images, [H]ardForum, email, whatever.

I think for the end user, they can run a firewall with pre-defined rules in place to block known baddies.

I don't think it should be done. But, if it were, it'd be a hell of a nightmare to implement on a large scale and maintain it.


There are some things they could (and probably should) do.

For instance, fingerprinting the network signatures of common botnet malware, and using it to disable and notify users would be a good thing IF they can get the false positives to a negligible level. It would have to be limited to only things that are damned certain though, or you wind up with the AT&T example above which would be unliveable.
 
ISPs have much stronger and capable equipment. They could do something to help the user against some e.g. DoS etc. An end user with a "poor" end-point firewall could not do much to stop some traffic that effectively could bring their connection bandwidth to its knees and make it almost unusable (the extreme case as example). It's part of the "health" of the internet service. Anything else should not be subject to filtering, firewalling etc of course.
Some ISP's side filtering could be supported with the end user (tech-savvy or friend) having access to modify its rules... - traffic that would otherwise reach the end user anyway. But that poses other risks mainly for user mistakes and increased ISPs support tickets :p .
 
ISPs have much stronger and capable equipment. They could do something to help the user against some e.g. DoS etc. An end user with a "poor" end-point firewall could not do much to stop some traffic that effectively could bring their connection bandwidth to its knees and make it almost unusable (the extreme case as example). It's part of the "health" of the internet service. Anything else should not be subject to filtering, firewalling etc of course.
Some ISP's side filtering could be supported with the end user (tech-savvy or friend) having access to modify its rules... - traffic that would otherwise reach the end user anyway. But that poses other risks mainly for user mistakes and increased ISPs support tickets :p .

How are they going to DDOS a home users internet if they have no ports open/listening?.... Plus there isn't much to gain for the attacker so why would they even bother? I've seen expensive enterprise equipment struggle with lower scale DDOS, and read some articles where they were measuring the attacks in gigabytes from some insane botnet.... The only thing that could help against that scale of attack would be a large SaaS service designed around detected/preventing DDOS.
 
I don't think it would be hard for ISPs to provide a user-facing interface for managing an IPS. They'd charge for it, sure, not just because it's a feature but because they'd need to support it, however, the option to do so as long as the power remains in the customer's hands and there is a legal understanding that the ISP isn't responsible for stuff not getting through due to poor user configuration would likely work.

And I could see it be a money maker for ISPs, assuming that they can 'dumb it down' enough for commonfolk to use it while still exposing enough to be useful to educated consumers, simply because they already have the equipment to do it right on the routing and filtering side. Hell, they'd even be able to sell metrics off it, again so long as they're legally prevented from providing granularity to identify individual users, where content providers can see what people in aggregate are blocking etc.

There are plenty of ways to do this, and one advantage might be the pooling of attack data between providers to shut down attacks far quicker.

Another could be to make it actually reasonably safe to provide 'self-hosted' services to consumers. A simple example could be plugging a USB drive into the provided modem, where the contents are accessible with a level of security specified by the consumer, with say 2FA on a mobile app and a browser-based file manager. Something like Nextcloud, but with automatic security and management. Add VPN to home and encryption on the drive to that and roll.
 
DigitalOcean is one of those REALLY messed up ISP's.

Probably 10,000 or more hits from their servers today. One every 1/2 second. A psuedo DOS attack. How do you stop it?

Are they THAT hacked?
 
After some research, yes, they are "that" hacked and/or complicit in a lot of abuse.

It may be time for a nice, large Class action lawsuit against DigitalOcean. There IS one way to get their attention.


https://www.google.com/search?sourc...z.....0..0i131j0i22i30j0i22i10i30.V4apfnF_4Gw

So you want to sue Digital Ocean because idiots cant set up security on their droplets?

Shit man, better sue every ISP on the planet for all of the idiots who have compromised machines in some botnet. Or just set up security properly on your devices and move on with your life.
 
That's... not even close to a DOS attack. That's a ping.

Well, ok.
But you don't see the traffic. It's "nefarious".
Check Google before you comment. Just search on "DigitalOcean+Hacking" and you'll learn how widespread and severe the problem is with DO
 
Last edited:
Note what I quoted. Nefarious traffic it may be, but that's not a DOS attack. Several orders of magnitude off.

Of course cloud solutions make malicious actions easier both to implement and to anonymize.
 
So you want to sue Digital Ocean because idiots cant set up security on their droplets?

Shit man, better sue every ISP on the planet for all of the idiots who have compromised machines in some botnet. Or just set up security properly on your devices and move on with your life.


So your philosophy is.....

"Hey man, why should the law go after criminals......just put more bars on your doors and get more guns"

Oh well....
Seems you have a pretty good idea how the US Justice system works today.
 
Note what I quoted. Nefarious traffic it may be, but that's not a DOS attack. Several orders of magnitude off.

Of course cloud solutions make malicious actions easier both to implement and to anonymize.

The point is not specifically my instance. But overall what's going on.

And all I'm saying is that as criminals evolve and find new ways to harm people, the system must also evolve to deal with it.

People already have more than enough "shit" to deal with without all this added BS

It's like the rise in bad behavior in America and so many other things that are changing for the worse. We just keep lowering the bar of expectations so that the norm is worse and worse.
 
Last edited:
This isn't feasible, and not realistic with our current infrastructure, yes this censorship could happen,....but it would HAVE to come from the governemt(akin to China's censorship), the technical solutions required would be massive, and would require all ISP's working together. But what it comes down to is money, and responsibility. One example I could think of what if a hacker originates in China(no US ISP there), they install a C&C Botnet on someone's computer(over say AT&T ISP)...AT&T missed it(won't ever be able to catch everything.....not realistic), this C&C server from their starts handing out bots to a number of other hosts(Some Fronier, some Verizon, Some Direct TV) They then DDOS Amazon say....Amazon loses tons of money. Who is responsible? Do they all need to pay up? Is AT&T the ones because of the C&C server? What if the AT&T C&C server is in multiple ISP's? All ISP's inter-connect. How do you assign blame(financial blame) is it the origin of the traffic? The destinatino of the traffic? How do you officially prove origin of traffic when someone is using relay servers/vps etc? The ONLY way to do this would be to put all the ISP's under mass government regulation.....and it sill wouldn't be that effective
 

So your philosophy is.....

"Hey man, why should the law go after criminals......just put more bars on your doors and get more guns"

Oh well....
Seems you have a pretty good idea how the US Justice system works today.

No, that's not what I'm saying. What you are saying is that a criminal walked down the street and looked at your house, so you want to send the FBI after them. If they break down the door (aka actually break into your server), sure contact law enforcement.

I don't know what your "10,000 hits" are, but it's laughable. Your math doesn't even make sense. 86400 seconds in a day, how is 10,000 one every half second? You're talking about equipment capable of handling MILLIONS of packets per SECOND.

You don't want any "attacks" from Digital Ocean? Write some firewall rules and block their entire IP space. Problem solved. Why does the ISP need to get involved?

Even if you held Digital Ocean accountable, what happens when they tell you some script kiddie in China, Russia, or where ever compromised a bunch of boxes. Is that their fault? No. It's the server admins. How do you proceed from there? You gonna call up the FBI and tell them go to Russia and arrest some teenager because a bunch of people couldn't patch their servers or used some weak passwords? No, I guess by your logic you shut down Digital Ocean all together and put them out of business.

You seem to have no concept that you are responsible for your own actions. If you don't like dealing with the problems of having a server on the internet, don't have a server on the internet. You don't pass the blame on to someone else.

If I leave my front door unlocked and someone comes in and steals everything I own, I don't tell the police it's their fault because they should have arrested him already. I left my door open, it's my fault.
 
In a perfect world I would like to see ISPs do more to keep things secure.

However..... In OUR world I would like ISPs to stick to moving packets from place to place and leave everything else alone. I will handle keeping myself safe. Corporations motivated purely by profit and greed should not have a say in what content I get delivered. That is a steep, slippery slope.
 
ISPs do much more than just "moving packets from place to place". I see where the "rant" is going but keep it "grounded" please. I like the world because it can be much worse if not mandated by today's "laws" of economy, profit etc. Think twice.
 
Making ISP's responsible for all the data on the internet that they help with routing etc....is an INSANE thought. First....you some have said "deep packet inspection".....so you want the ISP's(corporate entities) to look at literally EVERYTHING and decide whether or not it is SAFE? Etc....uh huh.

Here's an analogy of what you're asking. IF I said "We should make the department of transportation responsible for ALL drunk drivers on the highway, on all on-ramps we are going to stops and check EVERY vehicle for alcohol before they are allowed on the highway....in case of a drunk driver on a particular stretch of highway.....the on-ramp that let him through should be shut down.....bad on them. It's a silly notion
 
Some of you folks have vivid imaginations and go off on some impressive tangents.

Back to reality please?
We ALL rely on ISP's to be our gateways onto the Internet.

Using the analogy above, are you sure you don't want any traffic policing ? You skipped about 10 steps in your analogy going straight to the ?? Dept of Transportation?? whoa!

Coulda sworn I said let's keep government out of this in the OP? But since you went there....

We have POLICE that help make our roads and highways safer. Your analogy says...."Forget Law Enforcement, let's take it upon ourselves to Police our highways".....really? C'mon.

But you make a good point. Thanks for making it.

One more thing...apparently from the replies, I'm not the only one wishing more could be done. China for example is ripping the USA a new one. That shouldn't be stopped? Seriously???
 
Last edited:
How do you suggest that we stop China from "ripping the USA a new one?"

Let's keep the analogies going. You're basically saying "cancer is bad, someone should cure cancer." We know it exists and is bad, but you can't just say "someone needs to do something about this" and magically fix the problem. It's a bit more complicated than that as shown by all of the people who don't want their ISP doing anything to their traffic. It sounds like you don't have a enough knowledge in networking to understand why this isn't as simple as "bad man bad. ban him."

If I run ping -t 8.8.8.8 (which I have done more times than I can count) am I attacking google? Probably not. What happens when someone has a botnet and tells thousands of machines to do the same thing? How does an ISP know what is legitimate traffic and what is not? This is an oversimplified example. It's not like 'insert government agency here' isn't trying to take down the owners of these botnets. Even if it is just one person trying to compromise one system, how does an ISP know if it is legitimate traffic or not?

Add in the fact that the internet is pretty much moving in a direction where all traffic is encrypted and you have a whole other can of worms.
 
How do you suggest that we stop China from "ripping the USA a new one?"

Let's keep the analogies going. You're basically saying "cancer is bad, someone should cure cancer." We know it exists and is bad, but you can't just say "someone needs to do something about this" and magically fix the problem. It's a bit more complicated than that as shown by all of the people who don't want their ISP doing anything to their traffic. It sounds like you don't have a enough knowledge in networking to understand why this isn't as simple as "bad man bad. ban him."

If I run ping -t 8.8.8.8 (which I have done more times than I can count) am I attacking google? Probably not. What happens when someone has a botnet and tells thousands of machines to do the same thing? How does an ISP know what is legitimate traffic and what is not? This is an oversimplified example. It's not like 'insert government agency here' isn't trying to take down the owners of these botnets. Even if it is just one person trying to compromise one system, how does an ISP know if it is legitimate traffic or not?

Add in the fact that the internet is pretty much moving in a direction where all traffic is encrypted and you have a whole other can of worms.


The first problem with your analogy is that BILLIONS have been and ARE BEING spent on Cancer research. How much would you say has been or is being spent on researching ISP ability to detect and stop such traffic?
The second problem is that when you have Cancer, there are specific, known "next Steps". These do not exist for this situation.
Third, there "should" be a MUCH better mechanism for dealing with it. Right now, when your server is attacked, what's the best you can do? Like others said, take it upon yourself to lock down your own server.
Anyway, I'm just the messenger. If you (or everyone) wants to argue why we do not need to do anything about it then great. I have one, insignificant server. If it gets hacked or even wiped clean, big whoop.
I would say almost everyone has a more important target than I do.

This might be aggravating to me, but it's in no way mission critical.
 
That said, I can proudly report that I have obviously caught International attention with this thread. And my server IP address has obviously been discovered here or shared because the number of attacks thrown at my server has gone astronomical.

Overall, I couldn't care less. My little insignificant server is nothing but a hobby. But, if you care and have something to hide or protect.....
All these imbeciles spending their time for what? LMAO.

My suggestion.....HIDE....STAY SILENT.....never get upset about hacking attempts (or any wrongs). Never complain. Just grab those ankles and enjoy it.

The vast majority of humans today will simply say YOU are the problem and point out why YOU are the problem.

It's the nature of the world we live in. ;)
 
Last edited:
I've taken my little hobby server offline. Indefinitely.

The fools have no idea they're just wasting their time. You can't hack something not connected to the Net. LOL
 
Someone's posts are starting to look a lot like the typical word salad of paranoid schizophrenia.
 
  • Like
Reactions: Parja
like this
giphy (2).gif
 
I almost didn't post my last response because OP seems like a troll, but after those last few posts I have no idea what to think.
 
.......... Granted, I don't really know how ISP's work and what they can and cannot do so it's possible I may be missing the boat....but at least I asked and now someone can say why.

This is becoming quite obvious,

and yes I jumped to the Dept of Transportation right away...because that is essentially what ISP's are to the internet....I DO know how they work(I work for very large one as a Network/Security engineer)...I also used to work at another very large one as well. The reason I 'jumped' to department of transportation is that is precisely what 99% of ISP's are.


Also, read another post about the color of this forum, I may not be able convince my employer to inspect the worlds internet traffic and save your hobby server....but I might be able to save your eyesight :) (at least on firefox) go to options, languages and color, select color..., then in the drop down "override colors set by webpage with selections above choose 'always' granted you'll likely want to toggle this back and forth...but if you want to read the forums for a bit that should help. :)
 
Last edited:
Back
Top