Home page logo

nanog logo nanog mailing list archives

RE: On the back of other 'security' posts....
From: "Christopher L. Morrow" <chris () UU NET>
Date: Sat, 30 Aug 2003 22:06:41 +0000 (GMT)

On Sat, 30 Aug 2003, Terry Baranski wrote:

 Owen DeLong wrote:
The ISPs aren't who should be sued.  The people running
vulnerable systems generating the DDOS traffic and the
company providing the Exploding Pinto should be sued.  An
ISPs job is to forward IP traffic on a best effort basis to
the destination address contained in the header of the
datagram. Any other behavior can be construed as a breach of
contract.  Sure, blocking spoofed traffic in the limited
cases where it is feasible at the edge would be a good thing,
but, I don't see failure to do so as negligent.

In what instances is blocking spoofed traffic at the edge not feasible?
("Spoofed" as in not sourced from one of the customer's netblocks.)

Where exactly do you think that the duty to care in this
matter would come from for said ISP?

Isn't the edge by far the easiest and most logical place to filter
spoofed packets?  What are the good reasons not to do so?

As I'v said many times (so have a few others, more now than before) you
have to define the 'edge' first... My definition is: "as close to the end
system as possible". For instance the LAN segment seems like the ideal
place, its where there is the most CPU per packet, with the most simple
routing config and most predictable traffic patterns/requirements.

such packets from ever getting past their edge routers.  If edge
filtering isn't considered a "reasonably simple" thing to do, I'd like
to hear the reasons why.

its not tough, you just have to define the edge in the right way.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]