麻豆传媒

ISPs ‘should be responsible’ for hacker attacks

A leading internet lawyer argues internet service providers should be legally liable for the damage caused by so-called 'denial of service' attacks

Internet service providers (ISPs) should be made legally liable for the damage caused by 鈥渄enial of service鈥 (DoS) attacks carried out via their networks, a leading internet lawyer says.

A DoS attack involves taking down a website or server by flooding it with meaningless traffic, usually sent from a network of tens of thousands of PCs infected with viruses and controlled remotely. These viral 鈥渂ots鈥 do nothing until a hacker sends a command that tells them to attack a target, but can also be used to relay millions of spam email messages.

At a conference called Blocking Denial of Service Attacks on the Internet, to be held in London on 13 November, Lilian Edwards, an internet lawyer based at the University of Southampton, UK, will argue that legal measures must be taken if these attacks are to be stemmed. Edwards notes that ISPs currently have no legal obligation to check data relayed to and from internet users. She thinks, however, that governments could require them to do so.

Ian Brown of the Communication Research Network, an internet policy group based in Cambridge, UK, will chair the conference. The event will be held at the UK government鈥檚 Department of Trade and Industry. 鈥淭here will be a range of people present from government, industry, ISPs and companies that want to protect their online presence,鈥 he says.

Gambling sites

Brown says some gambling sites pay extortionists up to $50,000 to call off an attack, as this is cheaper than having their business offline for any length of time. 鈥淵ou can buy a custom-written bot virus on eBay for around $4000 that will evade antivirus software for at least two weeks, giving time to stage a DoS attack,鈥 he says.

鈥淏otnets can only really be cured by making Windows more secure, which Microsoft is slowly doing as it moves towards Vista,鈥 Brown told 麻豆传媒. 鈥淯sers can take basic measures, using antivirus software, but governments have the option of taking legal measures.鈥

The technology that might stem DoS attacks already exists: it is called deep packet inspection and allows ISPs to tell the difference between, say, internet phone calls and video downloads. Edwards says the same technique could identify sudden storms of traffic. 鈥淭he ISPs have the knowledge, the resources and the power,鈥 she told 麻豆传媒. 鈥淭hey control the net traffic and they can detect unusual patterns in that traffic.鈥

Strong resistance

The idea of requiring ISPs to guard against DoS attacks will be strongly resisted by the companies concerned, says Malcolm Hutty of the London Internet Exchange, an association of London-based internet providers. 鈥淭hat idea is guaranteed to fail,鈥 he says. 鈥淚t鈥檚 not the ISP鈥檚 fault that DoS attacks happen 鈥 it is the computer鈥檚 fault for allowing the bots to be planted.鈥

Distinguishing between malicious and innocent traffic would also be too time-consuming and expensive, Hutty contends, and would cause delays for users too.

鈥淩ecognising DoS attacks is not easy,鈥 Hutty says. He notes that the public blog of the Internet Governance Forum, an event in Athens, Greece, last week was so popular that its servers went down. 鈥淭hat was not a DoS attack,鈥 Hutty says, 鈥渂ut it looked like one. How is the ISP to know that it is not genuine site popularity, rather than some nefarious purpose?鈥

Ollie Whitehouse of antivirus firm Symantec in the UK says criminals could begin encrypting their attack commands if ISPs start inspecting every packet they handle. 鈥淭hat will make spotting a DoS attack a whole lot harder for an ISP,鈥 he says. Hutty agrees: 鈥淚f we try to tell the good traffic from the bad, it鈥檒l only incentivise the bad guys to make it more indistinguishable.鈥

Harnessing deep packet inspection is already a politically charged issue. ISPs could use the technique to create a multi-tiered internet, offering different download speeds or quality of service to different users, and infringing the principle of 鈥渘et neutrality鈥 (see Who said the internet was fair?).

Topics: Computer crime