North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
RE: On the back of other 'security' posts....
Owen DeLong wrote: > The ISPs aren't who should be sued. The people running > vulnerable systems generating the DDOS traffic and the > company providing the Exploding Pinto should be sued. An > ISPs job is to forward IP traffic on a best effort basis to > the destination address contained in the header of the > datagram. Any other behavior can be construed as a breach of > contract. Sure, blocking spoofed traffic in the limited > cases where it is feasible at the edge would be a good thing, > but, I don't see failure to do so as negligent. In what instances is blocking spoofed traffic at the edge not feasible? ("Spoofed" as in not sourced from one of the customer's netblocks.) > Where exactly do you think that the duty to care in this > matter would come from for said ISP? Isn't the edge by far the easiest and most logical place to filter spoofed packets? What are the good reasons not to do so? > Again, I just don't see where an ISP can or should be held > liable for forwarding what appears to be a correctly > formatted datagram with a valid destination address. I guess "correctly formatted" is a relative term. When *isn't* a packet with a spoofed source IP address guaranteed to be illegitimate? Maybe such packets shouldn't be considered "correct". > This is the desired behavior and without it, the internet > stops working. The Internet stops working when legitimate packets aren't forwarded. Spoofed packets don't fall into this category. > The problem is systems with consistent and > persistent vulnerabilities. One software company is > responsible for most of these, and, that would be the best > place to concentrate any litigation aimed at fixing the > problem through liquidated damages. I don't think it's appropriate to point the finger at one entity here. Lots of folks can play a part in helping out with this problem. That spoofed packets often originate from compromised hosts running Microsoft software doesn't justify ISPs standing around with their hands in their pockets if there are reasonably simple measures they can take to prevent such packets from ever getting past their edge routers. If edge filtering isn't considered a "reasonably simple" thing to do, I'd like to hear the reasons why. -Terry