Is Your ISP Watching You?

Have you ever sent e-mail to your clients and suddenly received bounce-backs with error messages saying your mail server is invalid or on a spam blacklist? Or how about this scenario:

You have a DSL or cable modem Internet connection, which has been working perfectly for years. Suddenly, the connection starts randomly cutting off several times a day. Rebooting the router reestablishes the link. Your network administrator says everything is working internally, but your staff is annoyed with the continual disruption.

What is going on? The most likely answer is that your ISP is filtering your Internet traffic without your knowledge, and it detected a denial of service (DoS) attack emanating from your network.

As the volume of viruses, DoS attacks and spam continues to grow exponentially, many Internet Service Providers (ISPs), who have typically taken a hands-off approach to network packet filtering, are no longer sitting on the sidelines. For the most part that’s good, but it can cause mysterious network outages and application problems. This month, we will discuss what ISPs are doing to protect networks from malicious use, how it can affect your business, and what to do to minimize the disruption.

Is There a Problem?
Over the past year, ISPs &#151 both big and small &#151 have been quietly implementing traffic profiling, network port filtering, and other efforts to block unwanted spam and malicious attacks. In principle, this is fine, because it cuts the overall amount of network traffic and protects you from attack.

However, many ISPs have installed firewalls without informing their customers, along with filtering rules so draconian that they could prevent companies from doing business. Don’t get me wrong, filtering ports and IP addresses to prevent malicious attacks from getting to your network is sensible for the protection every Internet citizen. But, when an ISP changes firewall and security settings, and does not inform its customers about its practices that is when it can cause a problem.

If you manage an in-house mail server on your company network and experience random bounced messages to legitimate addresses, that may be a symptom of poorly configured spam-filtering services. Even if you have a valid IP address, an ISP will often set the fixed address internally, but not actually assign it outside of their dynamic range. Since many spammers use dynamic IP addresses to avoid detection, the service assumes that an address from within a dynamic range is suspect, even if your assigned address is actually legitimate.

A client of mine recently complained that their ISP connection was increasingly flaky. Every morning they would find the service down. Rebooting the router would fix the problem, temporarily. After many phone calls, their ISP finally admitted that it was shutting down access every time the traffic profile looked like the company was originating a DoS attack. One could argue that the ISP was legitimately protecting itself and others from the attacks, but why the secrecy? In this case, moving their Web site to a hosted data center and cleaning up the hacked server solved my client’s problem and saved them a bundle in unnecessary Internet connectivity charges.

The ISPs are also inconsistent about what they filter and how they do it. Some will blithely open every port and make it your responsibility to maintain a properly configured firewall, while others implement a highly secure firewall that shuts down every port except inbound 80 (http), 443 (https) and 25 (smtp). If you have a WAN -sensitive application that uses another port, or you have an internal server that needs limited external access, be prepared to spend quality time with your ISP’s technical support to open up the required ports.

Many small businesses do not have fixed IP addresses, but instead rely on their provider to give them a DHCP address. This is perfectly valid for a relatively small shop with simple access requirements, but ISPs configure their DHCP servers differently.

One company might randomly force a DHCP address change or if it detects outgoing Web (port 80) traffic, while another might have such a long time-out period, that the address remains the same for years.

Even if you do own a static address, they aren’t nearly as static as you might think. Changing equipment and forgetting to map the old MAC address can sometimes cause the ISP’s server to issue a different address or stop working completely, depending on how the ISP authenticates a customer’s connection.

Practice Safe Networking
Before you blame your ISP and start complaining about poor service and bounced e-mails, make sure that you’ve done your part to keep your network safe from intrusion. If you take the following steps, you will make your ISPs job easier when you do need to contact them.

  • Make sure that all of your computers have the anti-virus and spyware protection installed. Keep them updated and always running.
  • Use a managed hosting service for your Web server. Unless you have a compelling reason to host your own Web site, a hosted service is very cost effective; the high availability is also a major benefit.
  • Consider using a managed e-mail service instead of maintaining our own system. This decision is not as clear-cut as the Web server, because it will depend on the number and size of mailboxes you need and your archiving requirements.

Beth Cohen is president of Luth Computer Specialists, a consulting practice specializing in IT infrastructure for smaller companies. She has been in the trenches supporting company IT infrastructure for over 20 years in a number of different fields including architecture, construction, engineering, software, telecommunications, and research. She is currently consulting, teaching college IT courses, and writing a book about IT for the small enterprise.

Do you have a comment or question about this article or other small business topics in general? Speak out in the Forums. Join the discussion today!

Must Read

Get the Free Newsletter!

Subscribe to Daily Tech Insider for top news, trends, and analysis.