Security Incidents mailing list archives
RE: Nimda et.al. versus ISP responsibility
From: woods () weird com (Greg A. Woods)
Date: Thu, 27 Sep 2001 19:41:55 -0400 (EDT)
[ On Thursday, September 27, 2001 at 17:10:50 (-0400), ahoward () noerrors com wrote: ]
Subject: RE: Nimda et.al. versus ISP responsibility I think there is a mid-ground wherein all ISPs are responsible for both ingress and egress filtering of all traffic on their network to ensure it is valid traffic (e.g.., making sure that customer A cannot inject traffic into the network with a source IP that doesn't belong to them...nearly eliminating spoofing) but stopping short of scanning payloads of packets.
Come on! Get real! Any properly formed IP packet is valid traffic! You cannot expect ISPs to stay on top of every protocol and every network application. The ONLY people responsible here are the operators of vulnerable servers and the people who release the vulnerable software they use. Even though Microsoft have released fixes in these cases, they have not corrected the flaw in their business which causes them to release buggy vulnerable software. Until Microsoft and other software vendors always put security at the forefront, no matter whether users ask for it or not, these problems will continue to cause wide-spread harm. Systems and network security must not be an option and it must not be off by default. Customers must not even have to ask for security. Until software vendors take this position their users, and all of us who provide related services, will continue to suffer.
Additionally, ISPs should allow customers to choose filtered connections if they wish. Customers should be able to work with ISPs to create traffic shaping rules as to what is and is not OK on the pipe they are paying for.
In some cases this is in fact done. However very few customers,
especially those on *DSL, cable, or other high-speed connections are
willing or able to pay for this level of service.
--
Greg A. Woods
+1 416 218-0098 VE3TCP <gwoods () acm org> <woods () robohack ca>
Planix, Inc. <woods () planix com>; Secrets of the Weird <woods () weird com>
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: Nimda et.al. versus ISP responsibility, (continued)
- RE: Nimda et.al. versus ISP responsibility Tracy Martin (Sep 27)
- RE: Nimda et.al. versus ISP responsibility Homer Wilson Smith (Sep 27)
- RE: Nimda et.al. versus ISP responsibility Tracy Martin (Sep 27)
- Re: Nimda et.al. versus ISP responsibility Neil Dickey (Sep 27)
- RE: Nimda et.al. versus ISP responsibility Michael B. Morell (Sep 27)
- RE: Nimda et.al. versus ISP responsibility Dave Salovesh (Sep 27)
- RE: Nimda et.al. versus ISP responsibility UMusBKidN (Sep 27)
- Re: Nimda et.al. versus ISP responsibility robertm (Sep 27)
- RE: Nimda et.al. versus ISP responsibility Jason Robertson (Sep 27)
- RE: Nimda et.al. versus ISP responsibility Mogull,Rich (Sep 27)
- RE: Nimda et.al. versus ISP responsibility ahoward (Sep 27)
- RE: Nimda et.al. versus ISP responsibility Greg A. Woods (Sep 27)
- RE: Nimda et.al. versus ISP responsibility Jay D. Dyson (Sep 27)
- RE: Nimda et.al. versus ISP responsibility Greg A. Woods (Sep 27)
- RE: Nimda et.al. versus ISP responsibility Stephen Villano (Sep 27)
- RE: Nimda et.al. versus ISP responsibility Chad Mawson (Sep 27)
- RE: Nimda et.al. versus ISP responsibility UMusBKidN (Sep 27)
- RE: Nimda et.al. versus ISP responsibility Jonathan Levy (Sep 27)
- Re: Nimda et.al. versus ISP responsibility Brian Cervenka (Sep 27)
- RE: Nimda et.al. versus ISP responsibility Tony Langdon (Sep 27)
- RE: Nimda et.al. versus ISP responsibility Dean Cunningham (Sep 27)
- RE: Nimda et.al. versus ISP responsibility ahoward (Sep 27)
- RE: Nimda et.al. versus ISP responsibility Smith, Mark (Sep 28)