North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Destructive botnet originating from California (was Japan)

  • From: Barrett G. Lyon
  • Date: Mon Dec 26 11:23:11 2005

On Dec 25, 2005, at 7:21 PM, Jon Lewis wrote:

On Sun, 25 Dec 2005, Barrett G. Lyon wrote:

I would have sent out a clean list sorted via AS and IP, except I have been working from vacation on GPRS via my 1 bar of service on my cell phone.
What's vacation?

I gather Prolexic isn't a one man shop. Nobody else had a better internet connection and a few minutes to tidy up the data and make the post?
There are special considerations that should be taken while posting public data, so I take responsibility for public postings. Our team makes sure everything else is running usual, in the future I would like to formulate an internal policy and structure that helps us correctly post data on public forums without my involvement.

IANAL either, but if I steal your car and run someone over with it, are you liable? Should you be? Computers are "stolen" or at least commandeered on the internet at an alarming rate because those who do it know that odds are, they won't get caught. And if they are caught, odds are, nothing will happen. And there's apparently considerable profit in the sale of commandeered systems or services provided by them. I doubt you'll get anywhere trying to make an example of someone who's system was hacked or even just "used improperly". I really don't think this problem can be solved by scaring sysadmins or corporations. There will always be security holes.
If they have had notice about the problem and that the problem may damage or cause harm to others then the question is; Did they act as a reasonable service provider? If they failed to act as a reasonable service provider to the compromised machine, then they are negligent.

In your car situation, if you know your car has been stolen, or if you have the ability to prevent it, then you could possibly be negligent. If you left a car with the engine running and the keys in it, and you left it in a grammar school playground and your example happens, you are negligent.

If we contract an ISP and tell them about a machine that is causing harm, and we provide correct documentation, and they choose to do nothing about it. I would say they are a negligent ISP and could be open for litigation.

We have a couple huge bank customers, they refused to use any mitigation methods that involve syn-cookes because of the liability that causes. They were so concerned that a SYN flood would be relayed off a syn-cookie "guard" and be used to attack a competitor as well. Their legal teams refused to take the liability because that case would have had to be settled for a huge sum of money. As a result they looked for solutions that do not use syn-cookes to defend against syn floods.

If an ISP knew they could be found negligent then the community that uses Arbor and other techniques to detect inbound attacks may use it to detect and stop outbound attacks as well. I think it would raise the bar of responsibility and responsiveness. Otherwise, we will just sit and bitch about problems until there is a better protocol than the old one we use now.