FRAMINGHAM (03/02/2000) - The responsibility for the recent denial-of-service (DOS) attacks seen on the Internet has been primarily attributed to the originating perpetrators and the e-commerce victims. However, there are third-party participants that should shoulder a large portion of the blame: the access and backbone Internet service providers (ISP) and the unsuspecting third parties whose systems are being used as launchpads for DOS attacks.
Many ISPs are doing very little to proactively detect or thwart DOS attacks beyond rerouting, even though they are stakeholders in these events and have risks similar to those shared by the targeted victims. At a high level, the risks are loss of bandwidth, router failure and impact on nontargeted ISP customers.
If ISPs are truly interested in providing the best service possible, they should be contractually willing to recognize and stop DOS attacks before their customers are severely impacted. Conversely, e-commerce customers should include service-level agreement language in all new ISP contracts, that penalizes the ISP if it takes too long to respond to a DOS attack.
What can be done about unsuspecting third parties, whose systems have been used to launch DOS attacks? Many foster "open computing environments," so they should then be "open" to the financial liabilities if they play supporting roles in such attacks.
Finally, for those who are connected to the Internet without firewalls, whether due to ignorance or some economic reason, it's time to seek help from our lawmakers. Laws need to be enacted requiring all dedicated Internet connections to have at least a minimal set of security standards in place. There's no excuse for a business, hospital, institution or college to be connected to the Internet without firewall protection in place. To make matters worse, most of these networks are connected in some manner to our nation's critical infrastructure.
Michael D. Tonick, CISSP
Senior security consultant