Negligent companies face DDOS liability,1199,NAV65-663_STO60729,00.html

I've been saying this for a long time.

Sooner or later complacent/negligent/lazy/incompetent tier1's are going
to be found liable for DDOS damages.

I expect a flood of panicky RPF deployment as soon as the first lawsuits
hit the courts.


Which Tier1 providers do you expect this to effect? Most DDoS attacks
that have been reported were executed by zombies on "broadband" cable and
dsl Tier2/Tier3 networks, not at the Tier1 level. And the reason these
network are targeted by crackers is because the users of these networks
are mostly, but not entirely, unsophisticated.

Furthermore, most DDoS attacks boil down to host-based insecurity. Are we
going to see individual box owners held liable for running compromisable
hosts? Will we in turn see companies like Microsoft, SUN, SGI, Linux
Vendors and others held liable for selling insecure operating systems?

I'm all for everyone following some sort of minimum required security
procedures, and have written several minimum network security requirements
for my previous employers. I'm also all for truly negligent network
providers being responsible for attacks initiated from their networks.
But, I am very wary of these standards being decided by a court or
legislature that is largely ingorant of the technical issues involved.
And then there's the trouble of attacks being initiated from sites outside
the US and how they're to be dealt with.

The bottom line: providers at all tiers need to start implementing egress
filtering where possible and start being good net citizens. They also
need to make their security staff's available to each other in the event
of an attack. Otherwise, someone is going to implement something like
HIPAA for NSP's. And I don't think NSP's want anything to do with
penalties that come with something like HIPAA.