Security Incidents mailing list archives
Re: ISP Filtering (Survey of Sorts)
From: "Nick FitzGerald" <nick () virus-l demon co uk>
Date: Sat, 2 Jun 2001 12:44:23 +1300
Joe Shaw <jshaw () insync net> rote: <<generally accepted/understood stuff snipped>>
The generally accepted model is to filter as close to the edge as possible, and most ISP's that I've dealt with seem to take this to mean it's your responsibility to do so. Remember, the NSP's job is to forward packets to you as fast as possible. Filtering will generally be your responsibility, not theirs. Personally, I'd much rather know what's coming at me so I can trend what people are trying to do against my network. It may be tedios to weed through, but just like Stoll's $.25 accounting discrepency, something in their might point to something you should be paying attention to.
Sure. As proved "useful" when something happened to grc.com recently, as documented at: http://grc.com/dos/grcdos.htm But once you have worked out what's being done, what responsibility should your ISP/NSP take? And for how long? Imagine you were being hit like grc.com (approx 500 machines firing 600+ MB of ping traffic and infinite other UDP rubbish at two T1s), but unlike Steve Gibson, you were unable to SE the perpetrators to stop... How many weeks would your domain have to be off the net before the FBI's (effective) $200,000 damages limit would be reached? And if the perps were minors and thus the "value" of a prosecution's outcome was not likely to meet the cost of the investigation and of bringing the prosecution? Maybe you'd have to wait five times that for your losses to hit a million? Or more??? The Internet's trust model is fundamentally broken in its current implementation as an open, public network. It always was, actually, as its protocols were designed as a system for interconnecting equally trusted susyems... At what point (and how) are ISPs and NSPs to take what responsibiliy for not making that clear, up front, to their clients? Regards, Nick FitzGerald
Current thread:
- Re: ISP Filtering (Survey of Sorts) Jason Storm (Jun 01)
- Re: ISP Filtering (Survey of Sorts) Christian Schwalm (Jun 02)
- <Possible follow-ups>
- RE: ISP Filtering (Survey of Sorts) Jason Lewis (Jun 01)
- Re: ISP Filtering (Survey of Sorts) Kath (Jun 01)
- RE: ISP Filtering (Survey of Sorts) Booth, David CWT-MSP (Jun 01)
- Re: ISP Filtering (Survey of Sorts) Joe Shaw (Jun 01)
- Re: ISP Filtering (Survey of Sorts) Nick FitzGerald (Jun 02)
- Re: ISP Filtering (Survey of Sorts) macdaddy (Jun 02)
- Re: ISP Filtering (Survey of Sorts) Jens Hektor (Jun 03)
- Re: ISP Filtering (Survey of Sorts) Brett Glass (Jun 02)