North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Schneier: ISPs should bear security burden

  • From: Dan Hollis
  • Date: Thu Apr 28 05:09:08 2005

On Thu, 28 Apr 2005, Iljitsch van Beijnum wrote:
> The problem is that the maliciousness of packets or email is largely  
> in the eye of the beholder. How do you propose ISPs determine which  
> packets the receiver wants to receive, and which they don't want to  
> receive? (At Mpps rates, of course.)

Its not up to the ISP to determine outbound malicious traffic, but its up 
to the ISP to respond in a timely manner to complaints. Many (most?) do not.

> There are many ISPs that do less than they should, though. (Allow  
> spoofed sources, don't do anything against hosts that are reported to  
> send clearly abusive traffic, sometimes even at DoS rates...)

This is what I mean by the environmental polluter model. Providers who 
continually spew sewage and do nothing to shut off attackers under their 
domain despite repeated pleas from victims.

An paper by Jeffrey Race - http://www.camblab.com/nugget/spam_03.pdf
was written about the spam problem, but touches on fraud and other 
malicious activity. The general attitude in the paper regarding provider's 
responses to spam complaints also applies to ddos and other attacks. It's 
also interesting to note where Mr. Ebbers is today.

Has the situation gotten better? Maybe at uunet it has since mr. ebbers 
"departure", but most other places it appears to only have gotten worse[1]. 

Bigpond let things get so out of hand that their own network began to 
crumble, which is the only time I can think of in recent history that 
they've ever taken action to disconnect zombies. You can be certain the 
victims on the receiving end of bigpond's zombied customers have little 
sympathy for bigpond's situation. Remember, this is the ISP whos abuse@ 
box auto-deleted complaints for "unacceptable language". When you're so 
bad that AOL has to block you[2], you should  probably consider cleaning 
up your network.

Sadly these official policies of 'do nothing' come from the top, so 
engineers and administrators who are in a position to actually take action 
against blatant network abuse, are actually explicitly forbidden to take 
any action.

So the real question seems to be how to effectively apply a cluebat to 
CEOs to get a reasonable abuse policy enforced. Nanog can host all the 
meetings it wants and members can write all the RFCs they want, but until 
attitudes change at the top, nobody will be allowed to do anything at the 
bottom.

-Dan

[1] http://sucs.org/~sits/articles/ntl_dont_care/
[2] http://www.smh.com.au/articles/2003/04/29/1051381931239.html?oneclick=true