Schneier: ISPs should bear security burden
Dan Hollis
goemon at anime.net
Thu Apr 28 09:07:15 UTC 2005
On Thu, 28 Apr 2005, Iljitsch van Beijnum wrote:
> The problem is that the maliciousness of packets or email is largely
> in the eye of the beholder. How do you propose ISPs determine which
> packets the receiver wants to receive, and which they don't want to
> receive? (At Mpps rates, of course.)
Its not up to the ISP to determine outbound malicious traffic, but its up
to the ISP to respond in a timely manner to complaints. Many (most?) do not.
> There are many ISPs that do less than they should, though. (Allow
> spoofed sources, don't do anything against hosts that are reported to
> send clearly abusive traffic, sometimes even at DoS rates...)
This is what I mean by the environmental polluter model. Providers who
continually spew sewage and do nothing to shut off attackers under their
domain despite repeated pleas from victims.
An paper by Jeffrey Race - http://www.camblab.com/nugget/spam_03.pdf
was written about the spam problem, but touches on fraud and other
malicious activity. The general attitude in the paper regarding provider's
responses to spam complaints also applies to ddos and other attacks. It's
also interesting to note where Mr. Ebbers is today.
Has the situation gotten better? Maybe at uunet it has since mr. ebbers
"departure", but most other places it appears to only have gotten worse[1].
Bigpond let things get so out of hand that their own network began to
crumble, which is the only time I can think of in recent history that
they've ever taken action to disconnect zombies. You can be certain the
victims on the receiving end of bigpond's zombied customers have little
sympathy for bigpond's situation. Remember, this is the ISP whos abuse@
box auto-deleted complaints for "unacceptable language". When you're so
bad that AOL has to block you[2], you should probably consider cleaning
up your network.
Sadly these official policies of 'do nothing' come from the top, so
engineers and administrators who are in a position to actually take action
against blatant network abuse, are actually explicitly forbidden to take
any action.
So the real question seems to be how to effectively apply a cluebat to
CEOs to get a reasonable abuse policy enforced. Nanog can host all the
meetings it wants and members can write all the RFCs they want, but until
attitudes change at the top, nobody will be allowed to do anything at the
bottom.
-Dan
[1] http://sucs.org/~sits/articles/ntl_dont_care/
[2] http://www.smh.com.au/articles/2003/04/29/1051381931239.html?oneclick=true
More information about the NANOG
mailing list