mailing list archives
RE: On the back of other 'security' posts....
From: "Terry Baranski" <tbaranski () mail com>
Date: Sat, 30 Aug 2003 14:26:14 -0400
Owen DeLong wrote:
The ISPs aren't who should be sued. The people running
vulnerable systems generating the DDOS traffic and the
company providing the Exploding Pinto should be sued. An
ISPs job is to forward IP traffic on a best effort basis to
the destination address contained in the header of the
datagram. Any other behavior can be construed as a breach of
contract. Sure, blocking spoofed traffic in the limited
cases where it is feasible at the edge would be a good thing,
but, I don't see failure to do so as negligent.
In what instances is blocking spoofed traffic at the edge not feasible?
("Spoofed" as in not sourced from one of the customer's netblocks.)
Where exactly do you think that the duty to care in this
matter would come from for said ISP?
Isn't the edge by far the easiest and most logical place to filter
spoofed packets? What are the good reasons not to do so?
Again, I just don't see where an ISP can or should be held
liable for forwarding what appears to be a correctly
formatted datagram with a valid destination address.
I guess "correctly formatted" is a relative term. When *isn't* a packet
with a spoofed source IP address guaranteed to be illegitimate? Maybe
such packets shouldn't be considered "correct".
This is the desired behavior and without it, the internet
The Internet stops working when legitimate packets aren't forwarded.
Spoofed packets don't fall into this category.
The problem is systems with consistent and
persistent vulnerabilities. One software company is
responsible for most of these, and, that would be the best
place to concentrate any litigation aimed at fixing the
problem through liquidated damages.
I don't think it's appropriate to point the finger at one entity here.
Lots of folks can play a part in helping out with this problem. That
spoofed packets often originate from compromised hosts running Microsoft
software doesn't justify ISPs standing around with their hands in their
pockets if there are reasonably simple measures they can take to prevent
such packets from ever getting past their edge routers. If edge
filtering isn't considered a "reasonably simple" thing to do, I'd like
to hear the reasons why.
Re: On the back of other 'security' posts.... Matthew Sullivan (Aug 31)