ISPs 'should be responsible' for hacker attacks

Found on New Scientist on Wednesday, 08 November 2006

Internet service providers (ISPs) should be made legally liable for the damage caused by "denial of service" (DoS) attacks carried out via their networks, a leading internet lawyer says.

The idea of requiring ISPs to guard against DoS attacks will be strongly resisted by the companies concerned, says Malcolm Hutty of the London Internet Exchange, an association of London-based internet providers. "That idea is guaranteed to fail," he says. "It's not the ISP's fault that DoS attacks happen - it is the computer's fault for allowing the bots to be planted."

"Recognising DoS attacks is not easy," Hutty says. He notes that the public blog of the Internet Governance Forum, an event in Athens, Greece, last week was so popular that its servers went down. "That was not a DoS attack," Hutty says, "but it looked like one. How is the ISP to know that it is not genuine site popularity, rather than some nefarious purpose?"

Ollie Whitehouse of antivirus firm Symantec in the UK says criminals could begin encrypting their attack commands if ISPs start inspecting every packet they handle. "That will make spotting a DoS attack a whole lot harder for an ISP," he says. Hutty agrees: "If we try to tell the good traffic from the bad, it'll only incentivise the bad guys to make it more indistinguishable."

Curing the symptoms isn't a solution here. Making ISPs reliable is just a try to hide the fact that legislation doesn't work; just look at the CANSPAM act. It has done nothing to stop spam, but it made some politicians feel better. If someone has to be blamed, it should be the owner of the compromised machine, or the creator of the OS for not making it secure enough.

Browse all articles« Previous « » Next »