IP: Re: Recent Internet Attacks and Critical Infrastructure Protection

[Dave Farber <farber () cis upenn edu>]

> To: farber () cis upenn edu
> Subject: Re: IP: Recent Internet Attacks and Critical Infrastructure 
> Protection
> From: "Perry E. Metzger" <perry () piermont com>
> Date: 11 Feb 2000 18:14:28 -0500
>
>
>
> BTW, re: the recent spate of Internet attacks:
>
> A core problem no one is talking about is the continuing negligence of
> many, if not most, ISPs in deploying ingress filtering to block
> packets with forged source addresses as they enter the network.
>
> Were it not for this negligence, attempts at flood based attacks would
> be trivial to trace to their sources and would be easily
> blocked. Because ISPs frequently do not do the needed filtering,
> however, it is easy to inject packets with forged source addresses
> into the network. None of the attacks of the last few days would have
> been practical if the subverted systems used to launch the attacks had
> been behind such ingress filters.
>
> Since ingress filtering is done only on the periphery of a network, it
> is actually quite practical for an ISP to do -- large scale backbone
> routers need not be involved, and even fairly high bandwidth clients
> can be filtered with equipment available today.
>
> Given the current trends at ISPs, I am fearful that the only thing
> that will get this situation to change in the near term is a spate of
> negligence lawsuits by large companies aimed at ISPs that fail to
> filter their customer networks, resulting in successful attacks from
> said networks. An argument could be made that ISPs have a reasonable
> duty to block forged traffic, given how much harm it can cause in the
> network. I hate to see "social change through lawsuits" because once
> the lawyers are launched there often are no recall codes, but I don't
> see what else will work at this point.
>
> Perry