On Thu, 28 Apr 2005, Iljitsch van Beijnum wrote:
The problem is that the maliciousness of packets or email is largely in the eye of the beholder. How do you propose ISPs determine which packets the receiver wants to receive, and which they don't want to receive? (At Mpps rates, of course.)
Its not up to the ISP to determine outbound malicious traffic, but its up to the ISP to respond in a timely manner to complaints. Many (most?) do not.
There are many ISPs that do less than they should, though. (Allow spoofed sources, don't do anything against hosts that are reported to send clearly abusive traffic, sometimes even at DoS rates...)
This is what I mean by the environmental polluter model. Providers who continually spew sewage and do nothing to shut off attackers under their domain despite repeated pleas from victims. An paper by Jeffrey Race - http://www.camblab.com/nugget/spam_03.pdf was written about the spam problem, but touches on fraud and other malicious activity. The general attitude in the paper regarding provider's responses to spam complaints also applies to ddos and other attacks. It's also interesting to note where Mr. Ebbers is today. Has the situation gotten better? Maybe at uunet it has since mr. ebbers "departure", but most other places it appears to only have gotten worse[1]. Bigpond let things get so out of hand that their own network began to crumble, which is the only time I can think of in recent history that they've ever taken action to disconnect zombies. You can be certain the victims on the receiving end of bigpond's zombied customers have little sympathy for bigpond's situation. Remember, this is the ISP whos abuse@ box auto-deleted complaints for "unacceptable language". When you're so bad that AOL has to block you[2], you should probably consider cleaning up your network. Sadly these official policies of 'do nothing' come from the top, so engineers and administrators who are in a position to actually take action against blatant network abuse, are actually explicitly forbidden to take any action. So the real question seems to be how to effectively apply a cluebat to CEOs to get a reasonable abuse policy enforced. Nanog can host all the meetings it wants and members can write all the RFCs they want, but until attitudes change at the top, nobody will be allowed to do anything at the bottom. -Dan [1] http://sucs.org/~sits/articles/ntl_dont_care/ [2] http://www.smh.com.au/articles/2003/04/29/1051381931239.html?oneclick=true