just my $0.02
I think the burden of preventing DDOS attacks needs to be placed on the ISPs not on an operating system or OS manufacturer.
Let's face it most of the PC's on the internet are Windows PC's running with little or no security and many of those that have security are so flimsy as to be non-existent. How many home pc's have you seen running File and Print Sharing fro Microsoft Networks! The main group of these users are Home Users who have little to no knowledge of what it is that their computer does. As far as they know they turn it on and go to a web address. These are the same people who think the WWW 'IS' the internet. Trying to control all of these machines is an almost impossible task.
This is not a knock on Windows (I'll leave that argument alone thank you). If you gave these users a *NIX box we would be in the same boat, just a different ocean.
Since we cannot reasonably control what is installed on every OS on the internet we should aim our concerns on the 'Traffic Aggregators' or ISPs.
We must accept incoming traffic or else we can't do business on the internet, so we cannot constrain what we accept. Yes I know that we can block ip's and ports but if you are being hit by a DDOS which spoofs it's source then you will block a connection from the legitimate source that has nothing to do with the DDOS thereby DDOSing yourself.....you get the idea.
However constraining what packets can come out of our networks should be done by the ISP. If you have the 192.168.1.0/24 network then the router at your ISP should only pass packets of a 192.168.1.0/24 source.
Dialup ISPs normally have a bank of DHCP IP addresses that are used for their customers why then do they allow packets of a totally different network originate from inside their network? I don't know the best way to have the ISP community accomplish this but it is common sense that if you cannot control ingress than control egress.
In all other forms of commerce the seller is, within reason, responsible for misuses of the services they provide. Is it not reasonable to ask that an ISP ensures that the packets originating on it's network are from a source ip on it's network?
Sorry for the rambling but I just don't see this as a technology issue per se, I feel that it is a policy issue more than anything. You should know what originates within your control and ensure that it does not disable or in any way degrade the services of others. And as much as I hate regulation if the ISP's aren't doing anything about maybe there needs to be one.
Just my rambling thoughts,
Michael Cessna
Systems Administrator
RealTime Media
308 Lancaster Ave.
Wynnewood, PA 19096
p.610-896-9400 x308
f.610-896-9416
[EMAIL PROTECTED]
www.realtimemedia.com
-----Original Message-----
From: Zachary Uram [mailto:[EMAIL PROTECTED]]
Sent: Thursday, June 07, 2001 11:53 AM
To: Paul D. Robertson
Cc: Ari Weisz-Koves; [EMAIL PROTECTED]
Subject: RE: This is a must read document. It will freak you out
On Thu, 7 Jun 2001, Paul D. Robertson wrote:
>
> It really isn't that big of a deal, there are already enough trojaned
> Win9x clients out there that even using real addresses doesn't make it
> easy to stop them.
Hi Paul,
So is DDoS attacks biggest security threat out there?
It seems to be a big problem. Especially for e-commerce and data
warehousing/management systems where uptime = $$.
So no one has developed effective countermeasures against
arbitrary DDoS attacks? I guess if there was a large enough
concerted attack that some group could even overload an entire
ISP or an Internet backbone? Do we need laws to give law
enforcement/ISPs more power to solve this.
SDG,
Zach
[EMAIL PROTECTED]
"Blessed are those who have not seen and yet have faith." - John 20:29
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
