Home page logo
/

nanog logo nanog mailing list archives

RE: On the back of other 'security' posts....
From: Owen DeLong <owen () delong com>
Date: Sat, 30 Aug 2003 23:51:02 -0700



 Owen DeLong wrote:
The ISPs aren't who should be sued.  The people running
vulnerable systems generating the DDOS traffic and the
company providing the Exploding Pinto should be sued.  An
ISPs job is to forward IP traffic on a best effort basis to
the destination address contained in the header of the
datagram. Any other behavior can be construed as a breach of
contract.  Sure, blocking spoofed traffic in the limited
cases where it is feasible at the edge would be a good thing,
but, I don't see failure to do so as negligent.

In what instances is blocking spoofed traffic at the edge not feasible?
("Spoofed" as in not sourced from one of the customer's netblocks.)

That depends on your definition of edge, I suppose.  I define it as the
port on one of my routers where the other end of the link is connected
to a machine I don't control.  In those terms, edge filtering makes sense
in some cases and not in others.  If it's a dial-up or T1 customer which is
a single business, it makes sense.  If it's an ISP with a few fortune 500
customers, it doesn't work out as well.

Where exactly do you think that the duty to care in this
matter would come from for said ISP?

Isn't the edge by far the easiest and most logical place to filter
spoofed packets?  What are the good reasons not to do so?

Again, where "edge" is a single end-customer, yes.  Where edge is simply
the connection of two border routers among ISPs, it's alot harder
vs. minimal gain.  While I agree that "edge" filtering is good practice
anywhere it makes sense, I still don't think that legislating it through
liability is a good precedent to set.  I'm already far enough off topic
for today that  won't go into the details of the legal slippery slope
it creates.

Again, I just don't see where an ISP can or should be held
liable for forwarding what appears to be a correctly
formatted datagram with a valid destination address.

I guess "correctly formatted" is a relative term.  When *isn't* a packet
with a spoofed source IP address guaranteed to be illegitimate?  Maybe
such packets shouldn't be considered "correct".

I carefully chose the term "correctly formatted" instead of "valid" for
exactly that reason. If the datagram contents conform to the RFC definitions
of what an IP datagram should contain and in the correct order and relative
octet positions, then, the packet is a "correctly formatted" packet.
If an ISP has a way to feasibly filter a link for spoofed addresses without
risk of creating false matches, then, it is good practice to do so. However,
there are many links where this is not feasible.

This is the desired behavior and without it, the internet
stops working.

The Internet stops working when legitimate packets aren't forwarded.
Spoofed packets don't fall into this category.

Agreed. However, there are a limited number of places where this distinction
can be reliably made in software.  In those locations, it makes sense to
discard what can reliably be discarded.  More agressive proposals represent
damage.

The problem is systems with consistent and
persistent vulnerabilities.  One software company is
responsible for most of these, and, that would be the best
place to concentrate any litigation aimed at fixing the
problem through liquidated damages.

I don't think it's appropriate to point the finger at one entity here.
Lots of folks can play a part in helping out with this problem.  That
spoofed packets often originate from compromised hosts running Microsoft
software doesn't justify ISPs standing around with their hands in their
pockets if there are reasonably simple measures they can take to prevent
such packets from ever getting past their edge routers.  If edge
filtering isn't considered a "reasonably simple" thing to do, I'd like
to hear the reasons why.

I think it is appropriate to point the finger at root cause and focus
resolution on the root cause.  The root cause is a software company which
has systematically engineered vulnerabilities into their software and
aggressively propogated these vulnerabilities to as many systems as they can.

However, that having been said, I'm not saying that ISPs should stand around
with their hands in their pockets.  Where reasonably simple measures which
do not create collateral damage can be taken, they should.  As to edge
filtering, I suspect you are restricting the term to a different definition
of edge than mine.  As such, I think I have explained the parts of the edge
where I consider it unreasonable.

I also think that ISPs should take the relatively simple precaution of
including in their AUP that if the customer starts sending attack
traffic, regardless of reason, the ISP has the right to filter, block,
rate limit, or otherwise disconnect the customer until customer resolves
the issue.  Then, I think ISPs should be more agressive about actually
doing so.

However, I'm very tired of the idea that everyone else should go to elaborate
lengths to engineer around broken software because it's too popular and too
hard to get it fixed.  At some point, we're going to have to recognize that
broken software (at this level, at least) is unacceptable and as much pressure as possible to resolve that issue _MUST_ be brought to bear on the responsible
party.  This is inherently the biggest disadvantage to closed-source
software.

Owen


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]