http://www.hackerwhacker.com/showarticle.dyn?article=http://computerworld.co... I've been saying this for a long time. Sooner or later complacent/negligent/lazy/incompetent tier1's are going to be found liable for DDOS damages. I expect a flood of panicky RPF deployment as soon as the first lawsuits hit the courts. -Dan
On Wed, 6 Jun 2001, Dan Hollis wrote:
http://www.hackerwhacker.com/showarticle.dyn?article=http://computerworld.co...
Sooner or later complacent/negligent/lazy/incompetent tier1's are going to be found liable for DDOS damages.
Which Tier1 providers do you expect this to effect? Most DDoS attacks that have been reported were executed by zombies on "broadband" cable and dsl Tier2/Tier3 networks, not at the Tier1 level. And the reason these network are targeted by crackers is because the users of these networks are mostly, but not entirely, unsophisticated. Furthermore, most DDoS attacks boil down to host-based insecurity. Are we going to see individual box owners held liable for running compromisable hosts? Will we in turn see companies like Microsoft, SUN, SGI, Linux Vendors and others held liable for selling insecure operating systems? I'm all for everyone following some sort of minimum required security procedures, and have written several minimum network security requirements for my previous employers. I'm also all for truly negligent network providers being responsible for attacks initiated from their networks. But, I am very wary of these standards being decided by a court or legislature that is largely ingorant of the technical issues involved. And then there's the trouble of attacks being initiated from sites outside the US and how they're to be dealt with. The bottom line: providers at all tiers need to start implementing egress filtering where possible and start being good net citizens. They also need to make their security staff's available to each other in the event of an attack. Otherwise, someone is going to implement something like HIPAA for NSP's. And I don't think NSP's want anything to do with penalties that come with something like HIPAA. -- Joseph W. Shaw II CCNA/Network Security Goon
participants (2)
-
Dan Hollis
-
Joe Shaw