Re: ISP Filtering (Survey of Sorts)

["Nick FitzGerald" <nick () virus-l demon co uk>]

Joe Shaw <jshaw () insync net> rote:

<<generally accepted/understood stuff snipped>>
> The generally accepted model is to filter as close to the edge as
> possible, and most ISP's that I've dealt with seem to take this to mean
> it's your responsibility to do so.  Remember, the NSP's job is to forward
> packets to you as fast as possible.  Filtering will generally be your
> responsibility, not theirs.  Personally, I'd much rather know what's
> coming at me so I can trend what people are trying to do against my
> network.  It may be tedios to weed through, but just like Stoll's $.25
> accounting discrepency, something in their might point to something you
> should be paying attention to.

Sure.  As proved "useful" when something happened to grc.com
recently, as documented at:

   http://grc.com/dos/grcdos.htm

But once you have worked out what's being done, what responsibility 
should your ISP/NSP take?

And for how long?

Imagine you were being hit like grc.com (approx 500 machines firing 
600+ MB of ping traffic and infinite other UDP rubbish at two T1s), 
but unlike Steve Gibson, you were unable to SE the perpetrators to 
stop...

How many weeks would your domain have to be off the net before the 
FBI's (effective) $200,000 damages limit would be reached?

And if the perps were minors and thus the "value" of a prosecution's 
outcome was not likely to meet the cost of the investigation and of 
bringing the prosecution?  Maybe you'd have to wait five times that 
for your losses to hit a million?

Or more???

The Internet's trust model is fundamentally broken in its current 
implementation as an open, public network.  It always was, actually, 
as its protocols were designed as a system for interconnecting 
equally trusted susyems...  At what point (and how) are ISPs and NSPs 
to take what responsibiliy for not making that clear, up front, to 
their clients?


Regards,

Nick FitzGerald