On Fri, 11 Jun 2004, David Schwartz wrote:
This will be my last post on this issue.
In this case:
1) Almost certainly the traffic was due to a worm.
2) Almost certainly the ISP knew (or strongly suspected) the traffic was due to a worm.
3) Quite likely, the ISP never carried most of the traffic to its destination. Once they knew it was worm traffic, they were probably filtering by port.
4) The ISP should not have carried the attack traffic, if they actually did. Doing so is negligent and creates additional innocent victims. Maybe they would give their customer a short time to straighten things out, but that's it.
Erm.. Forgive me if this is a repeat posting but from what i've seen of this thread it needs to be stated. - My ISP Provide me with Internet Services. - I get Authentication, an IP, DNS. - I get a pipe to the world. - I pay for my own bandwidth based on the plan the ISP provides me . If I have a usage limit, and I exceed it due to a worm infection, its MY problem. Noone elses. I'm responsible for the security aspect of my own personal computers. Note the list of things above. I havnt paid for a managed circuit, with warnings after unusual activity, I havnt paid for a filtering service to filter by port for traffic that might be suspicious... so how is this not cut-and-dried? The ISP provides me with service, and puts a meter on it, and they bill me by the byte, or whatever- Thats the service they're providing, im not expecting to be billed for 'certain types of traffic' - I have a pipe, i'm using that pipe, and I pay for what travels down it. Any 'overusage' or unusual spikes in bandwidth usage are mine to handle - thats part of the risk of purchasing this service. If you want the provider to give you a solution which includes circuit monitoring, content filtering and other such things - then by all means make sure thats specified in the terms of service before you sign the dotted line. This all seems so simple to me - I simply don't understand how I can blame my ISP when my Windows machine gets a trojan on it and starts spitting out emails - whether 0 day or otherwise, its my problem, because *I* decided to take the (calculated) risk of putting that box online. (in whatever state - current, or not, firewalled or not, etc..). You can mitigate that risk through various factors - firewalls, Antivirus, WindowsUpdate, Alternative OSs... these all modify or change the risks involved but my ISP hasn't been involved in the calculation of this risk - so how can they be involved in accepting the responsibility for that risk?!? Mark. (Apparently I share a name with someone else on NANOG. So i'm not him... and hes not me :))