How ISPs can defend their customers

The ISP and user communities exemplify what can be accomplished when people work together. Many of the worm and virus outbreaks of the past few years were contained and eliminated only by the unsung cooperation of ISP staffs throughout the world.

In my column, Stopping spoofed packets can cut down on DDoS attacks, I noted that ISPs can prevent forged traffic by taking responsibility for enforcing straightforward rules on traffic that originates from their customers. These rules are safe for the simple reason that traffic should only be entering an ISP's network with valid source and destination addresses.

The cooperation between ISPs has been as exemplary as it has been consensual. The question is not what happens when ISPs cooperate; the truly important question is what happens when they do not. Specifically, what happens when an ISP, particularly an ISP in a different country, ignores or refuses to cooperate to stop abusive traffic? If an overseas ISP will not, or cannot, deal with the user generating the traffic, what actions are possible?

The international transportation and financial trading systems provide real-world models for dealing with correspondents that cannot ensure the integrity of their transactions. In both industries, the intermediary is required to bear responsibility for the integrity of the transaction. Stockbrokers are required to "make good" on stock trades, and if an airline passenger does not have required documentation, the carrier is responsible for returning him to his point of embarkation.

In the case of Internet traffic, the solution to abusive traffic is straightforward. If an ISP passes abusive traffic to its fellow ISPs and refuses to address the problem on an ongoing basis, then perhaps the ISP merits the ultimate imposed solution: disconnection. Disconnection provides a highly specific countermeasure to an ongoing pattern of abusive traffic, which is consistent with today's hierarchical, international Internet. It encourages ISPs to be responsible for responding to reports of problems with usage originating from within their networks. It correctly encourages higher-level ISPs to respond to problems originating with their retail resellers.

There is no reason for the receiving ISP to dissipate its bandwidth and customer resources on attack traffic. Make no mistake, while low-grade abusive traffic might, on a site-by-site basis, be insignificant, it does take up network bandwidth en route and complicates Web site management. It might lack the intensity of a full-scale distributed denial-of-service (DDoS) attack, but in the aggregate it is no less an attack.

Bogus HTTP requests are bogus HTTP requests, regardless of their point of origin. One million bogus requests from 1,000 different sites is a DDoS attack, plain and simple. Spreading out the attack over more sites merely spreads out the pain; the overall damage remains the same.

Requiring all affected end users to deal with such abusive traffic is inefficient, unwieldy and unmanageable. Presenting ISPs with the option of preventing abuse or facing disconnection deals with the problem at its point of origin rather than at its destination, at lower overall cost to the community.

Gezelter is a network security consultant and a contributor to The Computer Security Handbook, 4th Edition. He can be reached via his Web site at

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Now read: Getting grounded in IoT