On the back of other 'security' posts....

Terry Baranski tbaranski at mail.com
Sat Aug 30 18:26:14 UTC 2003 

 Owen DeLong wrote:
> The ISPs aren't who should be sued.  The people running 
> vulnerable systems generating the DDOS traffic and the 
> company providing the Exploding Pinto should be sued.  An 
> ISPs job is to forward IP traffic on a best effort basis to 
> the destination address contained in the header of the 
> datagram. Any other behavior can be construed as a breach of 
> contract.  Sure, blocking spoofed traffic in the limited 
> cases where it is feasible at the edge would be a good thing, 
> but, I don't see failure to do so as negligent.  

In what instances is blocking spoofed traffic at the edge not feasible?
("Spoofed" as in not sourced from one of the customer's netblocks.)

> Where exactly do you think that the duty to care in this 
> matter would come from for said ISP?

Isn't the edge by far the easiest and most logical place to filter
spoofed packets?  What are the good reasons not to do so?    
 
> Again, I just don't see where an ISP can or should be held 
> liable for forwarding what appears to be a correctly 
> formatted datagram with a valid destination address.  

I guess "correctly formatted" is a relative term.  When *isn't* a packet
with a spoofed source IP address guaranteed to be illegitimate?  Maybe
such packets shouldn't be considered "correct".  

> This is the desired behavior and without it, the internet 
> stops working.  

The Internet stops working when legitimate packets aren't forwarded.
Spoofed packets don't fall into this category.

> The problem is systems with consistent and 
> persistent vulnerabilities.  One software company is 
> responsible for most of these, and, that would be the best 
> place to concentrate any litigation aimed at fixing the 
> problem through liquidated damages.

I don't think it's appropriate to point the finger at one entity here.
Lots of folks can play a part in helping out with this problem.  That
spoofed packets often originate from compromised hosts running Microsoft
software doesn't justify ISPs standing around with their hands in their
pockets if there are reasonably simple measures they can take to prevent
such packets from ever getting past their edge routers.  If edge
filtering isn't considered a "reasonably simple" thing to do, I'd like
to hear the reasons why.

-Terry

More information about the NANOG mailing list