If they sell routing services, they must only route for source addresses they control. They are not looking at the content of the packets but at the envelope (headers). This is where they, like other common carriers, are responsible. When a telephone company sets up a long distance call, it is responsible that the Caller ID is either correct or blank. But they can't let it be for an exchange that they don't run. If the ISP allows non-standard practices (and now with RFC, egress filtering is recommended standard), then it is responsible for illegal use of its practices. To be covered by common-carrier laws, one has to follow standard common carrier protocols. -----Original Message----- From: firewalls-owner@Lists.GNAC.NET [mailto:firewalls-owner@Lists.GNAC.NET]On Behalf Of Paul D. Robertson Sent: Friday, June 08, 2001 20:06 To: Bill_Royds@pch.gc.ca Cc: dgillett@deepforest.org; firewalls@Lists.GNAC.NET Subject: RE: This is a must read document. It will freak you out On Fri, 8 Jun 2001 Bill_Royds@pch.gc.ca wrote: > When the fist ISP looses a $10 million lawsuit becuase it didn't do egrees > filtering and its servers were used for a DDoS attack, then egress filtering > will become standard. > But who is willing to start the suit? That's actually a difficult suit to try to bring: 1. Most ISPs aren't the one with server problems, their customers are, so that's not the transit provider's fault. 2. While the "Common Carrier" status hasn't been fully fleshed out, anything *other* than CC status for ISPs will make them lawsuit central, and that's so dangerous a precedent that it'd kill most Tier-2 providers. 3. If the originating ISP isn't your ISP, then they're simply handing frames to your ISP, who's the one responsible for delivering them to you. Since that's what you contracted for, and the ISP isn't the cause of the traffic, it's a difficult one to win. The attacker is the guilty party here, and blaming the victim might seem fun- but "she was asking for it, she was wearing a short patch kit" doesn't sit well with me. The first time anyone gets a good civil judgement against somone for not securing their servers, all the ambulance chasers will become packet chasers. I doubt many of us will be out celebrating after that happens. Now, sue the people causing the attacks in civil court for attacking innoncent victims, and you've got a precedent I can live with. If instead of getting chatty with them trying to play supersleuth, Gibson had fired up a lawyer with a couple of subpoenas and gotten the kids and their parents into a courtroom his story would have been more compelling. By this time, surely he can show losses and interruption of interstate commerce enough to have even gotten the Feds to help out. Paul ----------------------------------------------------------------------------- - [To unsubscribe, send mail to majordomo@lists.gnac.net with "unsubscribe firewalls" in the body of the message.]