Owen DeLong wrote:
The ISPs aren't who should be sued. The people running vulnerable systems generating the DDOS traffic and the company providing the Exploding Pinto should be sued. An ISPs job is to forward IP traffic on a best effort basis to the destination address contained in the header of the datagram. Any other behavior can be construed as a breach of contract. Sure, blocking spoofed traffic in the limited cases where it is feasible at the edge would be a good thing, but, I don't see failure to do so as negligent.
In what instances is blocking spoofed traffic at the edge not feasible? ("Spoofed" as in not sourced from one of the customer's netblocks.)
That depends on your definition of edge, I suppose. I define it as the port on one of my routers where the other end of the link is connected to a machine I don't control. In those terms, edge filtering makes sense in some cases and not in others. If it's a dial-up or T1 customer which is a single business, it makes sense. If it's an ISP with a few fortune 500 customers, it doesn't work out as well.
Where exactly do you think that the duty to care in this matter would come from for said ISP?
Isn't the edge by far the easiest and most logical place to filter spoofed packets? What are the good reasons not to do so?
Again, where "edge" is a single end-customer, yes. Where edge is simply the connection of two border routers among ISPs, it's alot harder vs. minimal gain. While I agree that "edge" filtering is good practice anywhere it makes sense, I still don't think that legislating it through liability is a good precedent to set. I'm already far enough off topic for today that won't go into the details of the legal slippery slope it creates.
Again, I just don't see where an ISP can or should be held liable for forwarding what appears to be a correctly formatted datagram with a valid destination address.
I guess "correctly formatted" is a relative term. When *isn't* a packet with a spoofed source IP address guaranteed to be illegitimate? Maybe such packets shouldn't be considered "correct".
I carefully chose the term "correctly formatted" instead of "valid" for exactly that reason. If the datagram contents conform to the RFC definitions of what an IP datagram should contain and in the correct order and relative octet positions, then, the packet is a "correctly formatted" packet. If an ISP has a way to feasibly filter a link for spoofed addresses without risk of creating false matches, then, it is good practice to do so. However, there are many links where this is not feasible.
This is the desired behavior and without it, the internet stops working.
The Internet stops working when legitimate packets aren't forwarded. Spoofed packets don't fall into this category.
Agreed. However, there are a limited number of places where this distinction can be reliably made in software. In those locations, it makes sense to discard what can reliably be discarded. More agressive proposals represent damage.
The problem is systems with consistent and persistent vulnerabilities. One software company is responsible for most of these, and, that would be the best place to concentrate any litigation aimed at fixing the problem through liquidated damages.
I don't think it's appropriate to point the finger at one entity here. Lots of folks can play a part in helping out with this problem. That spoofed packets often originate from compromised hosts running Microsoft software doesn't justify ISPs standing around with their hands in their pockets if there are reasonably simple measures they can take to prevent such packets from ever getting past their edge routers. If edge filtering isn't considered a "reasonably simple" thing to do, I'd like to hear the reasons why.
I think it is appropriate to point the finger at root cause and focus resolution on the root cause. The root cause is a software company which has systematically engineered vulnerabilities into their software and aggressively propogated these vulnerabilities to as many systems as they can. However, that having been said, I'm not saying that ISPs should stand around with their hands in their pockets. Where reasonably simple measures which do not create collateral damage can be taken, they should. As to edge filtering, I suspect you are restricting the term to a different definition of edge than mine. As such, I think I have explained the parts of the edge where I consider it unreasonable. I also think that ISPs should take the relatively simple precaution of including in their AUP that if the customer starts sending attack traffic, regardless of reason, the ISP has the right to filter, block, rate limit, or otherwise disconnect the customer until customer resolves the issue. Then, I think ISPs should be more agressive about actually doing so. However, I'm very tired of the idea that everyone else should go to elaborate lengths to engineer around broken software because it's too popular and too hard to get it fixed. At some point, we're going to have to recognize that broken software (at this level, at least) is unacceptable and as much pressure as possible to resolve that issue _MUST_ be brought to bear on the responsible party. This is inherently the biggest disadvantage to closed-source software. Owen