nanog mailing list archives
Re: de-peering for security sake
From: "Patrick W. Gilmore" <patrick () ianai net>
Date: Sat, 16 Jan 2016 10:15:06 -0500
On Jan 16, 2016, at 9:53 AM, Rich Kulawiec <rsk () gsp org> wrote:
On Sat, Jan 16, 2016 at 05:43:56AM -0800, Ca By wrote:
I see a great deal of folks on nanog clamoring to buy ddos gear. Packets are starting to become like spam email, where 90% are pure rubbish, and us good guys have to spend a lot of money and time sorting signal from noise.I've said this many times: abuse does not magically fall out of the sky. It comes from hosts, on networks, run by people. It is time -- well past time -- to hold those people *personally* acountable. Not doing so leaves us where we are today: millions -- heck, hundreds of millions -- of dollars are being spent on defenses THAT WOULD NOT BE NECESSARY if those people performed their jobs at a mere baseline level of competence and diligence.
Shared fate systems suck in some ways. But I disagree that “a mere baseline level of competence and diligence” is even close to what is required. Making the owner of the host responsible for an attack -personally- responsible would require every grandma & 6 year old to have insurance before buying a laptop or Xbox. And would bankrupt your favorite startup no matter how smart & competent the first time a zero-day caught them by surprise. Of course, forcing Uncle Bob to call his insurance carrier before buying a smartphone, and having San Hill Road take even greater risks when investing, and giving lawyers yet another vector for frivolous lawsuits, wouldn’t have the slightest effect on the global economy. On the other hand, that 100s of millions of dollars is a rounding error in the wealth & public good created by that same shared fate system. Overall, I think we’re doing well. Before anyone pounces on me, I hate spam, dos, etc. as much as anyone else. (You know how much personal, unpaid time I’ve put into fighting both, Rich.) If we can find the originators of these things, we should hang them by their thumbs and beat them senseless. We should do everything we can to make ISPs implement BCP38, get software vendors to QA better, and educate users to be less, well, idiotic. But I am also pragmatic. Life sucks, it is not fair. But the idea of making either grandma or the network engineer at an ISP or even the CEO of a hosting company personally responsible for things like zero-days or minor errors which can be exploited to the tune of greater than their personal wealth or even their corporate market cap is a recipe for bringing everything to a screeching halt. I kinda like the ride we’re on, bumps and all. Let’s not bring it to a screeching halt. -- TTFN, patrick
Current thread:
- Re: de-peering for security sake Richard Hesse (Jan 02)
- Re: de-peering for security sake Randy Bush (Jan 02)
- <Possible follow-ups>
- Re: de-peering for security sake Rich Kulawiec (Jan 16)
- Re: de-peering for security sake Ca By (Jan 16)
- Re: de-peering for security sake Mike Hammett (Jan 16)
- Re: de-peering for security sake Rich Kulawiec (Jan 16)
- Re: de-peering for security sake Patrick W. Gilmore (Jan 16)
- Re: de-peering for security sake Ca By (Jan 16)
- Re: de-peering for security sake Owen DeLong (Jan 16)
- Re: de-peering for security sake Valdis . Kletnieks (Jan 16)
- Re: de-peering for security sake bzs (Jan 17)
- Re: de-peering for security sake Dan Hollis (Jan 17)
- Re: de-peering for security sake Ca By (Jan 17)
- Re: de-peering for security sake bzs (Jan 17)
- Re: de-peering for security sake Doug Barton (Jan 17)
- Re: de-peering for security sake Dan Hollis (Jan 17)
- Re: de-peering for security sake bzs (Jan 17)
- Re: de-peering for security sake Ca By (Jan 16)