On Thu, 7 Jun 2001 [EMAIL PROTECTED] wrote:
> Stopping intrusions *on every host in the wild* should prevent
> their being used as DDoS zombies. It wouldn't prevent them being
> used as smurfs -- you have to prevent source spoofing for that.
If smurfs were the biggest problem we had, we'd be in a much better place.
ISPs can enforce leaf-node filtering requirements if they had to, so
that's actually an easier to solve problem in the long run.
Smuf amplifiers are fortunately easier to stop, and Cisco's defaulting to
no ip directed broadcast helps significantly.
> Given that none of us, as far as I know, is in a position to fix
> every host in the wild, then if I harden a site against intrusions,
> does it become immune to DDoSes? NO, because the DDoS that takes my
> site off the air may be targetted at something I don't control: ISP
> routers, DNS root servers, Akamai cache servers, etc.
> It's not obvious to me that defending against intrusions does
> anything to protect me from DDoSes. (Okay, folks -- I'm setting
> myself up to learn something here. Teach me the error of my ways.)
If we all take the individual stance, then no, but if everyone hardened,
then the aggragate hardening would ensure that DDoS attacks weren't easy
to mount, and that at least critical resources at high-bandwidth
multihomed locations (like the root servers) wouldn't be as vulnerable to
attack. As long as everyone is only worried about themselves, and nobody
does things like egress filter rules to stop spoofing (after all, that
only really helps your neighbors, right?) then we'll continue to be in the
shape we're in. If I had to count the number of times I've had to prove
that an outbound access list on the external interface of a border router
doesn't impact that router's performance significantly...
We've got a protocol in front of IETF to do the host identification, we've
spent time with a *lot* of very smart people talking about anti-DDoS
methodologies. The end game is that to keep the critical infrastructure
protected, we don't need anywhere near 100% compliance (I think the figure
was around 20%, but I don't have that data here at home.)
If you harden a site against intrusions, then it becomes one less
launch point for attacks. If it became culturally unacceptable to put a
default install of anything on a network, the number of sites used to
launch any atttack would go down to the point where we could start to deal
with individuals doing malicious acts. That's far better than throwing up
our collective hands and saying we can't do anything about it, or waiting
for someone else to solve the problems for us.
> On the other hand, there's a sense in which a DDoS that prevents
> users from reaching my servers cannot knock me further down than
> zero. An actual intrusion, a compromise of sensitive medical data or
> credit card numbers or missile launch codes, has no such natural
> limit on how bad the damage can be....
Exactly- DDoS attacks don't worry me too much from a strategic
perspective, because one they stop they're over. Intrusions, especially
of infrastructure components worry me significantly more because of the
lack of boundaries on damage or malice.
I'd rather have my network off the air from one of its providers than my
leg off my body from a bad surgery scheduler.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
