North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
RE: On the back of other 'security' posts....
On Sat, 30 Aug 2003, Terry Baranski wrote: > > Owen DeLong wrote: > > The ISPs aren't who should be sued. The people running > > vulnerable systems generating the DDOS traffic and the > > company providing the Exploding Pinto should be sued. An > > ISPs job is to forward IP traffic on a best effort basis to > > the destination address contained in the header of the > > datagram. Any other behavior can be construed as a breach of > > contract. Sure, blocking spoofed traffic in the limited > > cases where it is feasible at the edge would be a good thing, > > but, I don't see failure to do so as negligent. > > In what instances is blocking spoofed traffic at the edge not feasible? > ("Spoofed" as in not sourced from one of the customer's netblocks.) > > > Where exactly do you think that the duty to care in this > > matter would come from for said ISP? > > Isn't the edge by far the easiest and most logical place to filter > spoofed packets? What are the good reasons not to do so? As I'v said many times (so have a few others, more now than before) you have to define the 'edge' first... My definition is: "as close to the end system as possible". For instance the LAN segment seems like the ideal place, its where there is the most CPU per packet, with the most simple routing config and most predictable traffic patterns/requirements. > such packets from ever getting past their edge routers. If edge > filtering isn't considered a "reasonably simple" thing to do, I'd like > to hear the reasons why. its not tough, you just have to define the edge in the right way.