Forum members warn of DDoS legal liability

[InfoSec News <isn () C4I ORG>]

http://www.infoworld.com/articles/hn/xml/00/09/29/000929hnddosliability.xml

Friday, Sep. 29, 2000 2:21 pm PT

By Tim Greene, Network World

ATLANTA -- CORPORATIONS and ISPs could be held liable for unwittingly
allowing computers on their networks to become pawns, or "zombie"
machines, in DDoS (distributed denial of service) attacks that harm
customers or other companies.

That was one message from members of a new industry consortium set up
to fight the DDoS threat. The consortium, dubbed the RFC2267-plus
Working Group, unveiled itself at NetWorld+Interop 2000.

"It might not be enough to say they were not aware they could become a
zombie," said Frank Huerta, CEO of Recourse Technologies, one
consortium member. The group gets its name from RFC 2267, the Internet
router filtering standard that could be used to help thwart DDoS
attempts.

If the group develops a body of accepted safe practices, corporate IS
executives will have to comply or risk liability if their computers
are commandeered to carry out DDoS attacks, consortium members warn.

"Court cases will say, 'You had a reasonable expectation and maybe you
should have been looking for it,' " Huerta said.

Consortium members said that the group is trying to enlist help from
Internet equipment vendors, service providers, and law enforcement
departments, but it also needs help from enterprises linked to the
Internet. Henry Teng, the moderator of RFC2267-plus and a KPMG
consultant, said the group is promoting the sharing of information
about DDoS attacks to help companies develop better strategies to
limit DDoS impact and reduce the chance such attacks will be launched
in the first place.

Representatives from Yahoo and eBay, two Web businesses hit earlier
this year by one of the largest DDOS attacks, said cooperation is
essential, even if it means sharing information about networks with
competitors. "A collaborative approach will make for us, as users and
companies, an Internet that is more reliable, faster, and safer," said
John Zent, manager of risk management at Yahoo.

"This is an industry problem," said Allen Yousefi, information
security officer at eBay. "It's not just a problem for eBay or Yahoo
or Amazon.com. We're big names, so we get the attention."

Although the RFC2267-plus Working Group is pushing for cooperation, it
has no unified set of answers to DDoS attacks yet. But Allen Wilson,
who represented Internet Security Services at the group's launch,
suggested some practical measures companies can take to avoid DDoS
attacks and being used as a launch pad for such attacks:

Establish a response team that maps out your reaction to attacks.

Audit security of machines in the demilitarized zone between your
firewalls.

Mitigate risks by installing known security software patches and
installing an intrusion-detection system.

Constantly review security; it's a process, not a one-time project.

ISPs are also worried about liability if their networks fail to detect
DDoS traffic and head off the flood before it levels its victim, said
Tom Clare, a senior product manager at Check Point Software
Technologies. That concern could lead to changes in service-level
agreements ISPs are willing to back, Clare added.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".