Lawyer Says ISPs Should Be Legally Liable For Denial Of Service Attacks

from the bad,-bad-ideas dept

Thu, Nov 9th 2006 2:06pm — Mike Masnick

For some reason, there are always people who figure that when there's a situation where someone is harmed, you should blame the easiest, or most accessible party, rather than those actually responsible. You see it in things like the lawsuits against YouTube, rather than the person responsible for uploading infringing material. The latest is that a lawyer in the UK is proposing that ISPs should be responsible for denial of service attacks, and that it should be their responsibility to stop them. How? Well, they should just inspect all of the packets to determine whether they're legit or not. Of course, this should set off all different kinds of alarm bells. First, even if you know what the packets are, that doesn't mean you'll be able to spot (or stop) a denial of service attack. What's to say if it's a real attack or you suddenly get a lot of attention from elsewhere on the web driving a lot of traffic? Second, asking ISPs to inspect each and every packet should scare off lots of people who don't want their ISPs inspecting the specific types of traffic on the network, and who find it as a foot in the doorway to ISPs charging different amounts for different kinds of traffic. Finally, as with the network neutrality issue, the more ISPs inspect the traffic, the higher the likelihood that everyone just starts encrypting their traffic to make it so the ISPs can't tell what's traveling across the network. So, really, all this does is add more costs for the ISPs, slow down network traffic and do nothing to stop actual denial of service attacks. But, at least it makes it easier for the lawyers to be able to point to who they can sue.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

13 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 9 Nov 2006 @ 4:32pm

Acutally, maybe the lawyer should be liable - afterall, lawyers are the politicians who eventually create laws - which make people mad, which cause them to 'rebel' with Denial Of Service attacks...

Makes about as much sense as what he's saying.
[ link to this | view in thread ]
smokebreak, 9 Nov 2006 @ 4:34pm

Why not Blame global warming
this kind of argument is absurd..... it is along the line of shoplifting is the store's fault. After all, if the merchandise wasn't so accessible, it wouldn't be stolen. I've got a great idea, how about lawyers find cases to fight that could actually make a change to our world. There are plenty of issues that should be fought for..... ie, corruption in government, corporate lobbying for legislation to restrict citizens rights, the patriot act stripping citizens of civil liberties and rights, or accounting scandals that involve billions of citizens dollars being absorbed into corporate conglomerates. but hey..... if they did that then nobody would have a reason to hate them or be able to blame them for the erosion of society.

1st !!!!! maybe second after that rant
[ link to this | view in thread ]
smokebreak, 9 Nov 2006 @ 4:35pm

dang nab it anon
oh well, beat me again, what's scary is how alike we sound on the issue
[ link to this | view in thread ]
Charles The Tech, 9 Nov 2006 @ 4:48pm

The real reason
$$$$$$$$

It's a lot easier to get settlements from ISP's who have money then from somebody living in their parents basement.

Settlements = $$$$ for lawyers.
[ link to this | view in thread ]
Nick the ISP Admin, 9 Nov 2006 @ 4:59pm

What an idiot
It's amazing that people come up with things like this. It seems to me like what it comes down to is a complete lack of understanding as to how networks operate, that causes the lawyer types to say such things.

He may know that it's possible to inspect all traffic, but doesn't understand the ramifications that it would have on cost of service (prices would have to go up, to pay for all the packet inspection hardware), and network performance would go down (if you inspect the packet, it adds latency).

I run a small ISP in a rural area, and I can tell you 100% that if there was a law that suddenly said "you have to inspect all your traffic, or face DOS lawsuits" we would pretty much be forced to just gracefully shut ourselves down - there's no way the smaller ISP's of the world can do that.
[ link to this | view in thread ]
Misanthropic humanist, 9 Nov 2006 @ 5:43pm

obviously
That's what you get when you allow lawyers to pontificate about complex systems like computer networks.
[ link to this | view in thread ]
Daniel Keaveney, 9 Nov 2006 @ 5:57pm

Henry V111
I do not in any way advocate violence, but frivolous litigation always reminds me of; “First thing we do, let’s kill all the lawyers.” --Shakespeare, King Henry VI, Part II, IV, ii.
I apologize to all the good and well intentioned lawyers and hope both of you are not offended.
[ link to this | view in thread ]
Paul, 9 Nov 2006 @ 9:40pm

Tubes
States should be responsible for traffic collisions that take place on state owned roads.
[ link to this | view in thread ]
Rick Ringel, 10 Nov 2006 @ 5:56am

User perspective
Taken out of context, this lawyer's proposal makes no sense. But, consider that this guy is representing somebody who was or will be victumized by a DoS attack.

In our western culture, we delegate the use of force to our government, and in return, we expect the government to use that force to protect our person and our property. In this case, this general principle is applied by the lawyer's client, who experiences real property losses due to the DoS attack. He rightly expects protection because the government tells him he cannot use force on his own.

Clearly, the lawyer is the wrong guy to solve this network problem, but until those who can resolve these network service issues (perhaps IETF) do resolve these network service issues, we will continue to see these unqualified individuals submit their opinions.

Certainly, dismiss the proposal as naive, but in doing so, understand that the proposal is a reaction to a real problem. The internet is an anarchy, and that doesn't mash up with our citizenship's fundamental reliance on the rule of law.
[ link to this | view in thread ]
Rich Kulawiec, 10 Nov 2006 @ 7:19am

This is not entirely unreasonable
Back in .arpa days, this is *exactly* how the network was run: every admin was responsible for the packets leaving their network. Too many abusive packets? Your connection gets plugged back in after you fix the problem and explain what you've done to prevent a repeat.

Making this happen isn't difficult for any intelligent, responsible, competent admin. After all: if others can see the packets ENTERING their network(s), then surely you can see them LEAVING yours -- if only you bother to look.

And arguably, this is much, MUCH easier now than it was years ago. The tools available for the job are free/open-source, and easily deployed on cheap, commodity hardware. And it's just not that hard to spot the truly egregious problems -- in other words, I'm not expecting admins to spot one isolated ssh attempt....but *thousands* from the same IP, that's a no-brainer. Or huge spam runs -- easily spotted by looking at netflows on routers. And so on.

And I know that everyone gets nailed from time to time. Goes with the territory. So I don't expect anybody to have a spotless track record -- just to be paying attention, stop most things before they get to an issue, and respond rapidly to external reports of things that they missed.

I'm not necessarily in favor of enforcing competent network administration via litigation. But I'm certainly in favor of quarantining networks with {systemic, long-term, repeated} issues because there's no reason why the entire rest of the Internet should have to put up with that kind of nonsense. The people running those networks may be cheap, lazy, stupid or possibly on-the-take (spammers and others are known to make payoffs), but I don't really care which it is: the bottom line is that they
are simply *not good enough* to be allowed the privilege of being on the same Internet with the rest of us.
[ link to this | view in thread ]
Ken Simpson, 10 Nov 2006 @ 12:47pm

Not a bad idea.. but quite hard to implement
Sure -- blame ISPs for the DDoS and spam problem. It makes sense from a legal point of view, because after all ISPs carry the problem traffic and are in the best position to do something about it. Furthermore, by not fixing problem hosts within their network, they are somewhat complicit in the attacks.

The problem is that those on the receiving end of DDoS are much smaller entities than those on the sending end. AOL, Comcast, and Verizon are going to put up a good fight to ensure legislation is never passed that makes them responsible for their customers' traffic -- no matter how reasonable a proposition that is.
[ link to this | view in thread ]
|333173|3|_||3, 12 Nov 2006 @ 5:29pm

Internode...
...have a policy whcih states that if you DoS someone and they can prove it was you, and they get fined, you have to pay plus intertest, and your connection gets cut off. I believe that Adam has an informal policy that if it sees something which they think is a DoS attack, they will note it down and if it keeps happening, let you know.

All the ISPs would do is tell all thier customers that the problem is thiers, no crap gets out or well shape you for a few hours while you cool off, then the admins tell thier users, and so forth. Eventual;luy, you get down to the user responsible, who gets:
a) a punch in the face from his parents for getting thier internet disconnected.
b) fired
c) expelled
d) disconnected
Simple really
[ link to this | view in thread ]
-gary, 14 Nov 2006 @ 8:29am

This is actually a very good idea and simple to implement. If I'm an end-point router, I know all the IP's that I'm servicing and so I can throw away any packet with a forged IP outside of my IP's of control. It shouldn't take a lawsuit to make it happen, but sometimes that's the only way to make a change.

You can argue that it's not the ISP's problem, but in the US we've constantly thrown the book at people that provide service or products to those that should not be receiving them. It is illegal for a stor clerk to sell alcohol to a minor, so why not make it illegal to sell connection service to a spam spewing PC?
[ link to this | view in thread ]