Security Incidents mailing list archives

RE: Nimda et.al. versus ISP responsibility

From: ahoward () noerrors com
Date: Thu, 27 Sep 2001 22:13:41 -0400

woods () weird com wrote:

[ On Thursday, September 27, 2001 at 17:10:50 (-0400),
ahoward () noerrors com wrote: ]

Subject: RE: Nimda et.al. versus ISP responsibility

I think there is a mid-ground wherein all ISPs are responsible
for both ingress and egress filtering of all traffic on their
network to ensure it is valid traffic (e.g.., making sure that 
customer A cannot inject traffic into the network with a source
IP that doesn't belong to them...nearly eliminating spoofing) 
but stopping short of scanning payloads of packets.


Come on!  Get real!

Any properly formed IP packet is valid traffic!

You cannot expect ISPs to stay on top of every protocol and every
network application.


Ummm...perhaps you misunderstood.  I just said to filter for proper
packets.  It is not true that a properly formed packet is necessarily
valid traffic.  If my router sends a packet to my ISP with a source
IP address of 10.1.2.3, it is still a properly formed packet, but 
nonetheless invalid.  If my router sends any packet with a source
address other than one in my assigned range, it is invalid.  If my 
router sends any packet with a destination of 255.255.255.255 it 
is invalid...unless we want our ISPs to start propagating broadcasts.

I have had packets hit my router from my ISP with a destination address
of 192.168.x.x...tell me how that makes sense?

I specifically said that an ISP should not be looking at the payload
of the packet.  If the IP packet follows the rules, it gets through.
If it has invalid source or destination IP addresses, it doesn't.  If
it has both SYN and FIN flag set, it doesn't.  (Unless I'm missing 
something that makes that valid...)  Options should exist for further
filtering if a customer is willing to pay for it; otherwise, they get
what they pay for.  But if I'm willing, my ISP should allow me to set
egress rules on their edge router to me.  It only effects me...and I'm
paying for it...why do many ISPs refuse to do this?

I don't expect ISPs to know every application protocol, but they for
damn sure better understand TCP, UDP, ICMP, IGMP, and IP in general.

Otherwise, what in the world are they doing running IP networks?

-Aaron


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

RE: Nimda et.al. versus ISP responsibility, (continued)
- RE: Nimda et.al. versus ISP responsibility ahoward (Sep 27)
  - RE: Nimda et.al. versus ISP responsibility Greg A. Woods (Sep 27)
    - RE: Nimda et.al. versus ISP responsibility Jay D. Dyson (Sep 27)
- RE: Nimda et.al. versus ISP responsibility Stephen Villano (Sep 27)
- RE: Nimda et.al. versus ISP responsibility Chad Mawson (Sep 27)
- RE: Nimda et.al. versus ISP responsibility UMusBKidN (Sep 27)
  - RE: Nimda et.al. versus ISP responsibility Jonathan Levy (Sep 27)
- Re: Nimda et.al. versus ISP responsibility Brian Cervenka (Sep 27)
- RE: Nimda et.al. versus ISP responsibility Tony Langdon (Sep 27)
- RE: Nimda et.al. versus ISP responsibility Dean Cunningham (Sep 27)
- RE: Nimda et.al. versus ISP responsibility ahoward (Sep 27)
- RE: Nimda et.al. versus ISP responsibility Smith, Mark (Sep 28)