nanog mailing list archives
RE: On the back of other 'security' posts....
From: "Christopher L. Morrow" <chris () UU NET>
Date: Sat, 30 Aug 2003 22:06:41 +0000 (GMT)
On Sat, 30 Aug 2003, Terry Baranski wrote:
Owen DeLong wrote:The ISPs aren't who should be sued. The people running vulnerable systems generating the DDOS traffic and the company providing the Exploding Pinto should be sued. An ISPs job is to forward IP traffic on a best effort basis to the destination address contained in the header of the datagram. Any other behavior can be construed as a breach of contract. Sure, blocking spoofed traffic in the limited cases where it is feasible at the edge would be a good thing, but, I don't see failure to do so as negligent.In what instances is blocking spoofed traffic at the edge not feasible? ("Spoofed" as in not sourced from one of the customer's netblocks.)Where exactly do you think that the duty to care in this matter would come from for said ISP?Isn't the edge by far the easiest and most logical place to filter spoofed packets? What are the good reasons not to do so?
As I'v said many times (so have a few others, more now than before) you have to define the 'edge' first... My definition is: "as close to the end system as possible". For instance the LAN segment seems like the ideal place, its where there is the most CPU per packet, with the most simple routing config and most predictable traffic patterns/requirements.
such packets from ever getting past their edge routers. If edge filtering isn't considered a "reasonably simple" thing to do, I'd like to hear the reasons why.
its not tough, you just have to define the edge in the right way.
Current thread:
- On the back of other 'security' posts.... Matthew Sullivan (Aug 30)
- Re: On the back of other 'security' posts.... cowie (Aug 30)
- Re: On the back of other 'security' posts.... Owen DeLong (Aug 30)
- Re: On the back of other 'security' posts.... Jack Bates (Aug 30)
- Re: On the back of other 'security' posts.... Richard Cox (Aug 30)
- Re: On the back of other 'security' posts.... Matthew Sullivan (Aug 30)
- RE: On the back of other 'security' posts.... Terry Baranski (Aug 30)
- RE: On the back of other 'security' posts.... Christopher L. Morrow (Aug 30)
- Re: On the back of other 'security' posts.... Matthew Crocker (Aug 31)
- Re: On the back of other 'security' posts.... Owen DeLong (Aug 31)
- Re: On the back of other 'security' posts.... Jack Bates (Aug 30)
- RE: On the back of other 'security' posts.... Owen DeLong (Aug 30)
- Re: On the back of other 'security' posts.... Richard Cox (Aug 31)
- Re: On the back of other 'security' posts.... Mans Nilsson (Aug 31)
- Re: On the back of other 'security' posts.... Paul Vixie (Aug 31)
- RE: On the back of other 'security' posts.... Stephen J. Wilcox (Aug 31)
- RE: On the back of other 'security' posts.... Terry Baranski (Aug 31)