RE: Nimda et.al. versus ISP responsibility

From: ahoward@noerrors.com
Date: 09/27/01 

Date: Thu, 27 Sep 2001 17:10:50 -0400
Message-Id: <H000006800140c75.1001625049.mail@MHS>
Subject: RE: Nimda et.al. versus ISP responsibility
From: ahoward@noerrors.com
To: incidents@securityfocus.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MMorell@vdat.com wrote:
>
> Now, the question posed is, Should the ISP's be responsible
> for policing hosts on their networks.
>
> The answer is clearly No. This goes against everything the
> net stands for.
>

I think there is a mid-ground wherein all ISPs are responsible
for both ingress and egress filtering of all traffic on their
network to ensure it is valid traffic (e.g.., making sure that
customer A cannot inject traffic into the network with a source
IP that doesn't belong to them...nearly eliminating spoofing)
but stopping short of scanning payloads of packets.

Additionally, ISPs should allow customers to choose filtered
connections if they wish. Customers should be able to work
with ISPs to create traffic shaping rules as to what is and
is not OK on the pipe they are paying for.

Of course, individuals should be responsible for their own
servers but if they are not, ISPs should be allowed to bill
them for the extra bandwidth they're wasting and labor they're
causing the ISP to expend to deal with their negligence.

> If they refuse to do anything about it or to reply back and I
> still see activity. I will either block that host or subnet
> if necessary.
>

But if you block it at your edge router, it still wastes the
bandwidth coming to you from your ISP. You should not have to
pay for viruses that waste your bandwidth. An ISP should honor
requests of its customers to insert egress filters into their
edge routers so your router will never see the traffic.

=
Aaron P. Howard
CCNA, RHCE, CNE, MCSE

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (MingW32) - WinPT 0.4.0
Comment: For info see http://www.gnupg.org

iD8DBQE7s5aTNntqA0cOAPwRAsCTAJ9QDvXe6ySva5PPReckIUp8R6x5IQCcDxA+
E96hzUt/vSIUHwCRH/azBIE=
=aTib
-----END PGP SIGNATURE-----

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • RE: Nimda et.al. versus ISP responsibility
    ... And No I do not work for an ISP. ... This freedom places the burden of responsibility solely on the user. ... on my network that is acting offensively, ... and tracking system please see: http://aris.securityfocus.com ...
    (Incidents)
  • RE: Network 195.70.202.0/24 is hacker-freindly
    ... While it was a minor situation, the ISP handled it as THEIR ... responsibility to find out why one of THEIR accounts / THEIR IP Addresses ... Subject: Network 195.70.202.0/24 is hacker-freindly ... I had an abuse report case today in which the party responsible for the ...
    (Incidents)
  • RE: Nimda et.al. versus ISP responsibility
    ... Subject: Nimda et.al. ... Agencies currently working at having the Law changed here, that will require an ISP to provide at ... But again think of the cost savings, the ISPs would reap with just a limited amount of protection. ... > responsibility to stay on top of the latest software fixes, ...
    (Incidents)
  • RE: Nimda et.al. versus ISP responsibility
    ... Subject: Nimda et.al. ... the blame lays with the perpetrators. ... the public infrastructure have a responsibility to maintain the functioning ... abusing network resources should be notified and shut off by the ISP. ...
    (Incidents)
  • Re: recursive DNS servers DDoS as a growing DDoS problem
    ... Depending on the ISP ... installations that have to serve customers. ... where one server replies, other servers deny or vice versa. ... if your customers have no network access having or not having DNS ...
    (Bugtraq)