RE: Nimda et.al. versus ISP responsibility

From: ahowardat_private
Date: Thu Sep 27 2001 - 19:13:41 PDT

Next message: Kevin Reardon: "Re: pubdestroyer2001.exe via anonymous FTP?"

Previous message: H C: "Re: FBI Virus Alerts"
Maybe in reply to: Luc Pardon: "Nimda et.al. versus ISP responsibility"
Next in thread: Smith, Mark: "RE: Nimda et.al. versus ISP responsibility"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

woodsat_private wrote:
> [ On Thursday, September 27, 2001 at 17:10:50 (-0400),
> ahowardat_private wrote: ]
> > Subject: RE: Nimda et.al. versus ISP responsibility
> >
> > I think there is a mid-ground wherein all ISPs are responsible
> > for both ingress and egress filtering of all traffic on their
> > network to ensure it is valid traffic (e.g.., making sure that 
> > customer A cannot inject traffic into the network with a source
> > IP that doesn't belong to them...nearly eliminating spoofing) 
> > but stopping short of scanning payloads of packets.
>
> Come on!  Get real!
>
> Any properly formed IP packet is valid traffic!
>
> You cannot expect ISPs to stay on top of every protocol and every
> network application.

Ummm...perhaps you misunderstood.  I just said to filter for proper
packets.  It is not true that a properly formed packet is necessarily
valid traffic.  If my router sends a packet to my ISP with a source
IP address of 10.1.2.3, it is still a properly formed packet, but 
nonetheless invalid.  If my router sends any packet with a source
address other than one in my assigned range, it is invalid.  If my 
router sends any packet with a destination of 255.255.255.255 it 
is invalid...unless we want our ISPs to start propagating broadcasts.

I have had packets hit my router from my ISP with a destination address
of 192.168.x.x...tell me how that makes sense?

I specifically said that an ISP should not be looking at the payload
of the packet.  If the IP packet follows the rules, it gets through.
If it has invalid source or destination IP addresses, it doesn't.  If
it has both SYN and FIN flag set, it doesn't.  (Unless I'm missing 
something that makes that valid...)  Options should exist for further
filtering if a customer is willing to pay for it; otherwise, they get
what they pay for.  But if I'm willing, my ISP should allow me to set
egress rules on their edge router to me.  It only effects me...and I'm
paying for it...why do many ISPs refuse to do this?

I don't expect ISPs to know every application protocol, but they for
damn sure better understand TCP, UDP, ICMP, IGMP, and IP in general.

Otherwise, what in the world are they doing running IP networks?

-Aaron

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Kevin Reardon: "Re: pubdestroyer2001.exe via anonymous FTP?"
Previous message: H C: "Re: FBI Virus Alerts"
Maybe in reply to: Luc Pardon: "Nimda et.al. versus ISP responsibility"
Next in thread: Smith, Mark: "RE: Nimda et.al. versus ISP responsibility"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Sep 27 2001 - 19:16:51 PDT