I completely agree.

On the same note, ISP's need be held liable for not taking a more proactive role in the prevention of mass denial of service efforts, as it is their responsibility to the entire internet community. Proper ingress and egress filtering, flow control, and coordinated traffic anomaly detection and prevention efforts within (and between) ISP's can seriously limit the scale of such attacks. It's just plain stupid that such simple solutions are not taken more seriously. Many ISP's unfortunately are just too damn lazy, irresponsible, or greedy to enforce such restrictions on their customer networks. For crying out loud... how hard is it to apply simple layer 2 / 3 filters and verification systems, people?! (i.e. DHCP Snooping, IP source and destination verification/restrictions, unicast reverse path forwarding, etc.)

ISP's need to enforce strict Service Level Agreements upon their customers, requiring they keep their computers in good "health". At the same time, ISP's also need to enforce strict ACL's that limit the damage their customers face, and in many cases, the damage their customers cause.

The internet community also needs to start standardizing and enforcing the use of mail validation systems currently vailable, i.e. domain keys, SPF records, etc. Yes, this would raise the bar for the "Mom and Pop shop" mail system administrative duties. But that the price we have to pay to have a clean and manageable global messaging community. If a business cannot figure out how to properly set up a mail system, they need to pay for a service that does. Personally... I can care less if I never see their email make it through standardized filters. Good ridance.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/11392/33859#33859