Information Security News mailing list archives
Forum members warn of DDoS legal liability
From: InfoSec News <isn () C4I ORG>
Date: Mon, 2 Oct 2000 02:43:03 -0500
http://www.infoworld.com/articles/hn/xml/00/09/29/000929hnddosliability.xml Friday, Sep. 29, 2000 2:21 pm PT By Tim Greene, Network World ATLANTA -- CORPORATIONS and ISPs could be held liable for unwittingly allowing computers on their networks to become pawns, or "zombie" machines, in DDoS (distributed denial of service) attacks that harm customers or other companies. That was one message from members of a new industry consortium set up to fight the DDoS threat. The consortium, dubbed the RFC2267-plus Working Group, unveiled itself at NetWorld+Interop 2000. "It might not be enough to say they were not aware they could become a zombie," said Frank Huerta, CEO of Recourse Technologies, one consortium member. The group gets its name from RFC 2267, the Internet router filtering standard that could be used to help thwart DDoS attempts. If the group develops a body of accepted safe practices, corporate IS executives will have to comply or risk liability if their computers are commandeered to carry out DDoS attacks, consortium members warn. "Court cases will say, 'You had a reasonable expectation and maybe you should have been looking for it,' " Huerta said. Consortium members said that the group is trying to enlist help from Internet equipment vendors, service providers, and law enforcement departments, but it also needs help from enterprises linked to the Internet. Henry Teng, the moderator of RFC2267-plus and a KPMG consultant, said the group is promoting the sharing of information about DDoS attacks to help companies develop better strategies to limit DDoS impact and reduce the chance such attacks will be launched in the first place. Representatives from Yahoo and eBay, two Web businesses hit earlier this year by one of the largest DDOS attacks, said cooperation is essential, even if it means sharing information about networks with competitors. "A collaborative approach will make for us, as users and companies, an Internet that is more reliable, faster, and safer," said John Zent, manager of risk management at Yahoo. "This is an industry problem," said Allen Yousefi, information security officer at eBay. "It's not just a problem for eBay or Yahoo or Amazon.com. We're big names, so we get the attention." Although the RFC2267-plus Working Group is pushing for cooperation, it has no unified set of answers to DDoS attacks yet. But Allen Wilson, who represented Internet Security Services at the group's launch, suggested some practical measures companies can take to avoid DDoS attacks and being used as a launch pad for such attacks: Establish a response team that maps out your reaction to attacks. Audit security of machines in the demilitarized zone between your firewalls. Mitigate risks by installing known security software patches and installing an intrusion-detection system. Constantly review security; it's a process, not a one-time project. ISPs are also worried about liability if their networks fail to detect DDoS traffic and head off the flood before it levels its victim, said Tom Clare, a senior product manager at Check Point Software Technologies. That concern could lead to changes in service-level agreements ISPs are willing to back, Clare added. ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Forum members warn of DDoS legal liability InfoSec News (Oct 02)