In message <12301.1477525...@segfault.tristatelogic.com>, "Ronald F. Guilmette" writes: > > In message <caf-wqd5so0x5muw6updxmxd+h1ebcctl9ke9umec7k364of...@mail.gmail.co > m> > Ken Matlock <matlock...@gmail.com> wrote: > > >- End users need to have ways to easily see what's going on over their > >local networks, to see botnet-like activity and DDoS participation (among > >other things) in a more real-time fashion > > This is an interesting point. > > I'm not actually an ISP guy, although I do play one on TV. Anyway, > I hope nobody will begrudge me if I make a couple of brief points, > and then ask a rather naive question. > > Point: I have a DSL line which is limited to 6Mbps down and 756Kbps up. > My guess is that if any typical/average user is seen to be using more > than, say, 1/10 of that amount of "up" bandwidth in any one given 10 > minute time period, then something is really really REALLY wrong.
No. Just uploading a video to youtube would cause a false positive using that test. You need to know what "bad" traffic looks like to find it. Packets flowing != "bad traffic". Unusual != "bad traffic". Mark > Point: I am already signed up with various services which will send me > automated emails whenever certain events occur, e.g. when the price of > 2TB WD Black drives falls below my personal threshold value. > > Point: My ISP knows my email address. > > Question: Could ISPs set something up so that each customer broadband > line is continuously and individually monitored, and so that an automated > email would be automagically dashed off to the customer if that customer's > "up" bandwidth in some time period exceeded a value which, for that ISP, > is deemed "reasonable"? (I envision the hypothetical email messages in > question would consist of a non-threatening warning to the customer which > would include a link to a web page where there would be a list of common > things end-lusers should check for in such circumstances, along with > detailed and clear instructions for how to check for each, and also a > "don't ever bother me with these warnings again" checkbox, and perhaps > even a friendly slider where the end-luser could adjust his personal > warning threshold value, for the future.) > > Of course, any ISP that desperately -never- wants to receive -any- end- > luser support calls quite certainly won't like this scheme. But I'm not > sure that that fact alone would utterly disqualify the idea from being > useful in some contexts. > > The real question is: Is anything even remotely along these lines even > possible with existing commonly used ISP infrastructure? (If not, then just > forget I mentioned it.) > > > Regards, > rfg > > > P.S. One possible big advantage to the kind of system described above is > that if an ISP received a complaint about a given customer, alleging that > the customer is running a bot, then the ISP could go and look at the > warning settings for that customer. If that's already been set to > "don't ever bother me', then the ISP can disconnect the customer, and > when the customer inevitably saquaks about that, the ISP can respond and > say "We told you so." -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org