Now I know that this isn't a popular opinion - I love the ISP community, but I really do believe in my heart of hearts that the ISP and NSP community really needs to step up and start working smarter to solve the network abuse problems that are going on out there.
Internet service providers (ISPs) should be made legally liable for the damage caused by "denial of service" (DoS) attacks carried out via their networks, a leading internet lawyer says.
- New Scientist via Techdirt
I've been talking about this for at least three years now. Network Service Providers and Internet Address Registries hold the key to knocking back the amount of spam and network abuse several orders of magnitude.
What needs to happen is quite simple - the Address Registries need to set out a Bush-like abuse policy that goes something like this "If you are providing transit or network access to spammers using IP addresses we gave you, we will take away all of your IP addresses". Draconian? Yes. I believe it will have the right affect on network service providers though.
AT&T, Verizon, BT, Bell Canada and all the rest of the large network service providers will be the last to tell you that they make bucket loads of money transiting spam, denial of service traffic and so on. This puts them in the bad spot of having to make the right choice for the shareholders and the right choice for their customers. So far, they've been making the right choice for their shareholders.
Faced with the possibility of losing their IP address assignments, and therefore their capability to connect to the Internet (and therefore the basis for much of their business) I believe we would see much different behavior from the network service providers - carrying spam and other abusive packets would suddenly not be profitable, and they would very quickly find ways to stop carrying that kind of traffic. This would then quickly trickle down to the smaller providers who would be faced with the possibility of being disconnected by the larger providers if they didn't solve their own problems.
The Techdirt piece paints this up as a privacy issue, but this stance completely ignores the basic architecture of the internet as a network of networks - a series of interconnected networks. My home network, the upstream network that connects to, and the interconnection of connections upstream from that. Each of those networks has a responsibility to its upstream connects to keep its house own house in order and not pass abusive traffic onto the next.
Network service providers complain about the difficulties of spotting this type of traffic and blame operating system vendors for making insecure software that makes it easy for the bad guys to setup botnets and the like. The whole "packet inspection will slow down the network" argument is a bit of a red herring as well. Packet inspection is just one way to figure out what is going on with a network. So is looking at traffic volume, what ports that traffic is travelling on, what type of traffic is inbound to those endpoints, whether or not the traffic to and from the endpoints is coordinated or not and so on. 50,000 network endpoints all sending small packets to the same destination address is one great indicator that some sort of a distributed denial of service attack is going on. Only at that point would the packet inspection have to start.
So, to the NSPs that say that this is hard, I say "yup - try harder". Keeping your network house in order is your responsibility, and I'm tired of it being my problem. If this means that NSPs haves to start calling their end users and let them know that they have bots installed on their PCs and they won't be able to connect to the internet until the situation is rectified, then so be it. What's harder is putting up with this sort of abuse as a continuous status quo, and the repeated excuse that the problem is because of some other parties action or inaction.
Paying $24.95 per month for a connection to the internet doesn't absolve you of the responsibility that comes with connecting to the internet. Being an aggregator of these endpoints, which is exactly what the ISPs and NSPs are, similarly doesn't absolve you of these responsibilities. Your downstreams are your problem - they shouldn't be mine.