[38546] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: Negligent companies face DDOS liability

daemon@ATHENA.MIT.EDU (Joe Shaw)
Wed Jun 6 22:08:52 2001

Date: Wed, 6 Jun 2001 21:08:18 -0500 (CDT)
From: Joe Shaw <jshaw@insync.net>
To: Dan Hollis <goemon@anime.net>
Cc: "'nanog@merit.edu'" <nanog@merit.edu>
In-Reply-To: <Pine.LNX.4.30.0106061659160.9063-100000@anime.net>
Message-ID: <Pine.GSO.4.33.0106061913300.6189-100000@vellocet.insync.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu



On Wed, 6 Jun 2001, Dan Hollis wrote:

> http://www.hackerwhacker.com/showarticle.dyn?article=http://computerworld.com/cwi/stories/0,1199,NAV65-663_STO60729,00.html
>
> Sooner or later complacent/negligent/lazy/incompetent tier1's are going
> to be found liable for DDOS damages.

Which Tier1 providers do you expect this to effect?  Most DDoS attacks
that have been reported were executed by zombies on "broadband" cable and
dsl Tier2/Tier3 networks, not at the Tier1 level.  And the reason these
network are targeted by crackers is because the users of these networks
are mostly, but not entirely, unsophisticated.

Furthermore, most DDoS attacks boil down to host-based insecurity.  Are we
going to see individual box owners held liable for running compromisable
hosts?  Will we in turn see companies like Microsoft, SUN, SGI, Linux
Vendors and others held liable for selling insecure operating systems?

I'm all for everyone following some sort of minimum required security
procedures, and have written several minimum network security requirements
for my previous employers.  I'm also all for truly negligent network
providers being responsible for attacks initiated from their networks.
But, I am very wary of these standards being decided by a court or
legislature that is largely ingorant of the technical issues involved.
And then there's the trouble of attacks being initiated from sites outside
the US and how they're to be dealt with.

The bottom line: providers at all tiers need to start implementing egress
filtering where possible and start being good net citizens.  They also
need to make their security staff's available to each other in the event
of an attack.  Otherwise, someone is going to implement something like
HIPAA for NSP's.  And I don't think NSP's want anything to do with
penalties that come with something like HIPAA.

--
Joseph W. Shaw II
CCNA/Network Security Goon



home help back first fref pref prev next nref lref last post