RE: On the back of other 'security' posts....

["Christopher L. Morrow" <chris () UU NET>]

On Sat, 30 Aug 2003, Terry Baranski wrote:

>  Owen DeLong wrote:
> > The ISPs aren't who should be sued.  The people running
> > vulnerable systems generating the DDOS traffic and the
> > company providing the Exploding Pinto should be sued.  An
> > ISPs job is to forward IP traffic on a best effort basis to
> > the destination address contained in the header of the
> > datagram. Any other behavior can be construed as a breach of
> > contract.  Sure, blocking spoofed traffic in the limited
> > cases where it is feasible at the edge would be a good thing,
> > but, I don't see failure to do so as negligent.
>
> In what instances is blocking spoofed traffic at the edge not feasible?
> ("Spoofed" as in not sourced from one of the customer's netblocks.)
>
> > Where exactly do you think that the duty to care in this
> > matter would come from for said ISP?
>
> Isn't the edge by far the easiest and most logical place to filter
> spoofed packets?  What are the good reasons not to do so?

As I'v said many times (so have a few others, more now than before) you
have to define the 'edge' first... My definition is: "as close to the end
system as possible". For instance the LAN segment seems like the ideal
place, its where there is the most CPU per packet, with the most simple
routing config and most predictable traffic patterns/requirements.

> such packets from ever getting past their edge routers.  If edge
> filtering isn't considered a "reasonably simple" thing to do, I'd like
> to hear the reasons why.

its not tough, you just have to define the edge in the right way.