nanog mailing list archives

RE: On the back of other 'security' posts....

From: "Terry Baranski" <tbaranski () mail com>
Date: Sat, 30 Aug 2003 14:26:14 -0400


 Owen DeLong wrote:

The ISPs aren't who should be sued.  The people running 
vulnerable systems generating the DDOS traffic and the 
company providing the Exploding Pinto should be sued.  An 
ISPs job is to forward IP traffic on a best effort basis to 
the destination address contained in the header of the 
datagram. Any other behavior can be construed as a breach of 
contract.  Sure, blocking spoofed traffic in the limited 
cases where it is feasible at the edge would be a good thing, 
but, I don't see failure to do so as negligent.


In what instances is blocking spoofed traffic at the edge not feasible?
("Spoofed" as in not sourced from one of the customer's netblocks.)

Where exactly do you think that the duty to care in this 
matter would come from for said ISP?


Isn't the edge by far the easiest and most logical place to filter
spoofed packets?  What are the good reasons not to do so?

Again, I just don't see where an ISP can or should be held 
liable for forwarding what appears to be a correctly 
formatted datagram with a valid destination address.


I guess "correctly formatted" is a relative term.  When *isn't* a packet
with a spoofed source IP address guaranteed to be illegitimate?  Maybe
such packets shouldn't be considered "correct".

This is the desired behavior and without it, the internet 
stops working.


The Internet stops working when legitimate packets aren't forwarded.
Spoofed packets don't fall into this category.

The problem is systems with consistent and 
persistent vulnerabilities.  One software company is 
responsible for most of these, and, that would be the best 
place to concentrate any litigation aimed at fixing the 
problem through liquidated damages.


I don't think it's appropriate to point the finger at one entity here.
Lots of folks can play a part in helping out with this problem.  That
spoofed packets often originate from compromised hosts running Microsoft
software doesn't justify ISPs standing around with their hands in their
pockets if there are reasonably simple measures they can take to prevent
such packets from ever getting past their edge routers.  If edge
filtering isn't considered a "reasonably simple" thing to do, I'd like
to hear the reasons why.

-Terry

Current thread:

On the back of other 'security' posts.... Matthew Sullivan (Aug 30)
- Re: On the back of other 'security' posts.... cowie (Aug 30)
- Re: On the back of other 'security' posts.... Owen DeLong (Aug 30)
  - Re: On the back of other 'security' posts.... Jack Bates (Aug 30)
    - Re: On the back of other 'security' posts.... Richard Cox (Aug 30)
    - Re: On the back of other 'security' posts.... Matthew Sullivan (Aug 30)
  - RE: On the back of other 'security' posts.... Terry Baranski (Aug 30)
    - RE: On the back of other 'security' posts.... Christopher L. Morrow (Aug 30)
    - Re: On the back of other 'security' posts.... Matthew Crocker (Aug 31)
    - Re: On the back of other 'security' posts.... Owen DeLong (Aug 31)
    - RE: On the back of other 'security' posts.... Owen DeLong (Aug 30)
    - Re: On the back of other 'security' posts.... Richard Cox (Aug 31)
    - Re: On the back of other 'security' posts.... Mans Nilsson (Aug 31)
    - Re: On the back of other 'security' posts.... Paul Vixie (Aug 31)
    - RE: On the back of other 'security' posts.... Stephen J. Wilcox (Aug 31)
    - RE: On the back of other 'security' posts.... Terry Baranski (Aug 31)
  - Re: On the back of other 'security' posts.... Matthew Sullivan (Aug 30)

(Thread continues...)