By Paul Marks
09 November 2006
NewScientist.com news service
Internet service providers (ISPs) should be made legally liable for the
damage caused by "denial of service" (DoS) attacks carried out via their
networks, a leading internet lawyer says.
A DoS attack involves taking down a website or sever by flooding it with
meaningless traffic, usually sent from a network of tens of thousands of
PCs infected with viruses and controlled remotely. These viral "bots" do
nothing until a hacker sends a command that tells them to attack a
target, but can also be used to relay millions of spam email messages.
At a conference called Blocking Denial of Service Attacks on the
Internet, to be held in London on 13 September, Lilian Edwards, an
internet lawyer based at the University of Southampton, UK, will argue
that legal measures must be taken if these attacks are to be stemmed.
Edwards notes that ISPs currently have no legal obligation to check data
relayed to and from internet users. She thinks, however, that
governments could require them to do so.
Ian Brown of the Communication Research Network, an internet policy
group based in Cambridge, UK, will chair the conference. The event will
be held at the UK government's Department of Trade and Industry. "There
will be a range of people present from government, industry, ISPs and
companies that want to protect their online presence," he says.
Brown says some gambling sites pay extortionists up to $50,000 to call
off an attack, as this is cheaper than having their business offline for
any length of time. "You can buy a custom-written bot virus on eBay for
around $4000 that will evade antivirus software for at least two weeks,
giving time to stage a DoS attack," he says.
"Botnets can only really be cured by making Windows more secure, which
Microsoft is slowly doing as it moves towards Vista," Brown told New
Scientist. "Users can take basic measures, using antivirus software, but
governments have the option of taking legal measures."
The technology that might stem DoS attacks already exists: it is called
deep packet inspection and allows ISPs to tell the difference between,
say, internet phone calls and video downloads. Edwards says the same
technique could identify sudden storms of traffic. "The ISPs have the
knowledge, the resources and the power," she told New Scientist. "They
control the net traffic and they can detect unusual patterns in that
The idea of requiring ISPs to guard against DoS attacks will be strongly
resisted by the companies concerned, says Malcolm Hutty of the London
Internet Exchange, an association of London-based internet providers.
"That idea is guaranteed to fail," he says. "It's not the ISP's fault
that DoS attacks happen - it is the computer's fault for allowing the
bots to be planted."
Distinguishing between malicious and innocent traffic would also be too
time-consuming and expensive, Hutty contends, and would cause delays for
"Recognising DoS attacks is not easy," Hutty says. He notes that the
public blog of the Internet Governance Forum, an event in Athens,
Greece, last week was so popular that its servers went down. "That was
not a DoS attack," Hutty says, "but it looked like one. How is the ISP
to know that it is not genuine site popularity, rather than some
Ollie Whitehouse of antivirus firm Symantec in the UK says criminals
could begin encrypting their attack commands if ISPs start inspecting
every packet they handle. "That will make spotting a DoS attack a whole
lot harder for an ISP," he says. Hutty agrees: "If we try to tell the
good traffic from the bad, it'll only incentivise the bad guys to make
it more indistinguishable."
Harnessing deep packet inspection is already a politically charged
issue. ISPs could use the technique to create a multi-tiered internet,
offering different download speeds or quality of service to different
users, and infringing the principle of "net neutrality" (see Who said
the internet was fair? ).
Subscribe to InfoSec News