On the back of other 'security' posts....

Owen DeLong owen at delong.com
Sun Aug 31 06:51:02 UTC 2003


>
>  Owen DeLong wrote:
>> The ISPs aren't who should be sued.  The people running
>> vulnerable systems generating the DDOS traffic and the
>> company providing the Exploding Pinto should be sued.  An
>> ISPs job is to forward IP traffic on a best effort basis to
>> the destination address contained in the header of the
>> datagram. Any other behavior can be construed as a breach of
>> contract.  Sure, blocking spoofed traffic in the limited
>> cases where it is feasible at the edge would be a good thing,
>> but, I don't see failure to do so as negligent.
>
> In what instances is blocking spoofed traffic at the edge not feasible?
> ("Spoofed" as in not sourced from one of the customer's netblocks.)
>
That depends on your definition of edge, I suppose.  I define it as the
port on one of my routers where the other end of the link is connected
to a machine I don't control.  In those terms, edge filtering makes sense
in some cases and not in others.  If it's a dial-up or T1 customer which is
a single business, it makes sense.  If it's an ISP with a few fortune 500
customers, it doesn't work out as well.

>> Where exactly do you think that the duty to care in this
>> matter would come from for said ISP?
>
> Isn't the edge by far the easiest and most logical place to filter
> spoofed packets?  What are the good reasons not to do so?
>
Again, where "edge" is a single end-customer, yes.  Where edge is simply
the connection of two border routers among ISPs, it's alot harder
vs. minimal gain.  While I agree that "edge" filtering is good practice
anywhere it makes sense, I still don't think that legislating it through
liability is a good precedent to set.  I'm already far enough off topic
for today that  won't go into the details of the legal slippery slope
it creates.

>> Again, I just don't see where an ISP can or should be held
>> liable for forwarding what appears to be a correctly
>> formatted datagram with a valid destination address.
>
> I guess "correctly formatted" is a relative term.  When *isn't* a packet
> with a spoofed source IP address guaranteed to be illegitimate?  Maybe
> such packets shouldn't be considered "correct".
>
I carefully chose the term "correctly formatted" instead of "valid" for
exactly that reason.  If the datagram contents conform to the RFC 
definitions
of what an IP datagram should contain and in the correct order and relative
octet positions, then, the packet is a "correctly formatted" packet.
If an ISP has a way to feasibly filter a link for spoofed addresses without
risk of creating false matches, then, it is good practice to do so. 
However,
there are many links where this is not feasible.

>> This is the desired behavior and without it, the internet
>> stops working.
>
> The Internet stops working when legitimate packets aren't forwarded.
> Spoofed packets don't fall into this category.
>
Agreed.  However, there are a limited number of places where this 
distinction
can be reliably made in software.  In those locations, it makes sense to
discard what can reliably be discarded.  More agressive proposals represent
damage.

>> The problem is systems with consistent and
>> persistent vulnerabilities.  One software company is
>> responsible for most of these, and, that would be the best
>> place to concentrate any litigation aimed at fixing the
>> problem through liquidated damages.
>
> I don't think it's appropriate to point the finger at one entity here.
> Lots of folks can play a part in helping out with this problem.  That
> spoofed packets often originate from compromised hosts running Microsoft
> software doesn't justify ISPs standing around with their hands in their
> pockets if there are reasonably simple measures they can take to prevent
> such packets from ever getting past their edge routers.  If edge
> filtering isn't considered a "reasonably simple" thing to do, I'd like
> to hear the reasons why.
>
I think it is appropriate to point the finger at root cause and focus
resolution on the root cause.  The root cause is a software company which
has systematically engineered vulnerabilities into their software and
aggressively propogated these vulnerabilities to as many systems as they 
can.

However, that having been said, I'm not saying that ISPs should stand around
with their hands in their pockets.  Where reasonably simple measures which
do not create collateral damage can be taken, they should.  As to edge
filtering, I suspect you are restricting the term to a different definition
of edge than mine.  As such, I think I have explained the parts of the edge
where I consider it unreasonable.

I also think that ISPs should take the relatively simple precaution of
including in their AUP that if the customer starts sending attack
traffic, regardless of reason, the ISP has the right to filter, block,
rate limit, or otherwise disconnect the customer until customer resolves
the issue.  Then, I think ISPs should be more agressive about actually
doing so.

However, I'm very tired of the idea that everyone else should go to 
elaborate
lengths to engineer around broken software because it's too popular and too
hard to get it fixed.  At some point, we're going to have to recognize that
broken software (at this level, at least) is unacceptable and as much 
pressure
as possible to resolve that issue _MUST_ be brought to bear on the 
responsible
party.  This is inherently the biggest disadvantage to closed-source
software.

Owen




More information about the NANOG mailing list