Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Negligent companies face DDOS liability

  • From: Joe Shaw
  • Date: Wed Jun 06 22:10:54 2001


On Wed, 6 Jun 2001, Dan Hollis wrote:

> http://www.hackerwhacker.com/showarticle.dyn?article=http://computerworld.com/cwi/stories/0,1199,NAV65-663_STO60729,00.html
>
> Sooner or later complacent/negligent/lazy/incompetent tier1's are going
> to be found liable for DDOS damages.

Which Tier1 providers do you expect this to effect?  Most DDoS attacks
that have been reported were executed by zombies on "broadband" cable and
dsl Tier2/Tier3 networks, not at the Tier1 level.  And the reason these
network are targeted by crackers is because the users of these networks
are mostly, but not entirely, unsophisticated.

Furthermore, most DDoS attacks boil down to host-based insecurity.  Are we
going to see individual box owners held liable for running compromisable
hosts?  Will we in turn see companies like Microsoft, SUN, SGI, Linux
Vendors and others held liable for selling insecure operating systems?

I'm all for everyone following some sort of minimum required security
procedures, and have written several minimum network security requirements
for my previous employers.  I'm also all for truly negligent network
providers being responsible for attacks initiated from their networks.
But, I am very wary of these standards being decided by a court or
legislature that is largely ingorant of the technical issues involved.
And then there's the trouble of attacks being initiated from sites outside
the US and how they're to be dealt with.

The bottom line: providers at all tiers need to start implementing egress
filtering where possible and start being good net citizens.  They also
need to make their security staff's available to each other in the event
of an attack.  Otherwise, someone is going to implement something like
HIPAA for NSP's.  And I don't think NSP's want anything to do with
penalties that come with something like HIPAA.

--
Joseph W. Shaw II
CCNA/Network Security Goon






Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.