Regulating Away DDoS Attacks?
November 27th, 2006By Kevin McTiernan
At the Blocking Denial of Service Attacks on the Internet conference held earlier this month in London, leading Internet lawyer, Lilian Edwards, argued that ISPs should be held financially responsible for DDoS attacks carried out via their networks. Edwards, a published author and authority on legal issues of the Internet, believes that ISPs should be legally required by their government to prevent DDoS attacks.
Edwards’ argument has merit. In my opinion, it is similar to when parents are held accountable for their children’s actions or a television network is penalized for violating indecency standards. In these cases, it is not the child or the television program’s producers that are penalized; it is the person that should be providing oversight. In fact, many telecommunications regulations exist today that result in penalties or fines if violated. Examples include number portability, E-911, CALEA, etc.
I do have some problems with the argument, however. The first problem with the argument is that the bots or zombie computers that launch the attacks do not only seek out computers on ISPs. They look for any vulnerable system and find them on ISPs as well as enterprises, hosting facilities, cyber cafés and metro WiFi networks. Think back to 2003 and the slammer worm - remember the story about the Ohio nuclear plant and how the worm got in? My point is that if you limit the requirement to the ISPs, you still have many more vulnerabilities that must be addressed. Extending the regulation to enterprises, cyber cafés and metro WiFi networks may cause access to be limited or not offered.
The second problem with the argument is that of governance of the Internet. While phishing scams can be investigated and broken in countries where regulation is present and a judicial system will prosecute such crimes, many parts of the world do not have such standards and the scams go untouched. In those same parts of the world, the bot viruses are written, the DDoS attacks are launched and the damage is done - the double-edged sword of the Internet is that it is available anywhere. Requiring an ISP to spot a local, vulnerable system in the UK or the US, may not prevent the attack if executed from Kenya, for example.
The third problem is that carriers are prohibited from controlling traffic on their network. While the prohibition against such “blocking?” or “rate limiting?” is in the form of public outcry, it is a definite part of the net-neutrality debate and as such may be regulated shortly. A prime example of the issue is with Skype and its roughly 100 Million subscribers (see “What’s the problem with Skype anyway??” below for more information).
I’m not about to say that the only problem that carriers have with Skype is the security threat. Skype (and other providers, such as Vonage) are costing carriers millions of dollars daily in lost revenue for traditional phone services. My point is there are many facets to the net-neutrality debate. By saying carriers cannot control the services that are run in the network - which would end the concept of charging a tariff to quality-sensitive content providers (YouTube, Skype or Vonage) – you in effect limit their ability to prevent such attacks by blocking security threats.
However, the free market is driving change. Enterprises and other consumers of carrier services are embracing the idea of a security service level agreement (Security SLA) whereby the carrier ensures a “clean pipe?” either as part of their service (which keeps existing while luring new customers) or with a fee (which increases revenue). Major carriers in the US and Europe are embracing this shift and managed service providers (such as VeriSign, NeuStar and KSR) are seeing growth and are making acquisitions to keep pace. And, corporate behemoths, such as IBM and Cisco, are making security a major business component.
I do agree fully with Edwards that the Internet is a component of the critical national infrastructure, and governments the world over must treat it as such. But the economics of the situation (competitive advantage or revenue opportunity) are causing carriers to respond to this economic driver much quicker and with more promise than they would to any regulation.
Here’s an article from NewScientist.com news service where Lilian Edwards is interviewed on the argument she made.
Here’s a link to books by Lilian Edwards on the topic of law and the Internet.