When the fist ISP looses a $10 million lawsuit becuase it didn't do egrees
filtering and its servers were used for a DDoS attack, then egress filtering
will become standard.
But who is willing to start the suit?
"Paul D. Robertson" <[EMAIL PROTECTED]> on 06/08/2001 09:39:26 AM
To: [EMAIL PROTECTED]
cc: [EMAIL PROTECTED](bcc: Bill
Royds/HullOttawa/PCH/CA)
Subject RE: This is a must read document. It will
: freak you out
If we all take the individual stance, then no, but if everyone hardened,
then the aggragate hardening would ensure that DDoS attacks weren't easy
to mount, and that at least critical resources at high-bandwidth
multihomed locations (like the root servers) wouldn't be as vulnerable to
attack. As long as everyone is only worried about themselves, and nobody
does things like egress filter rules to stop spoofing (after all, that
only really helps your neighbors, right?) then we'll continue to be in the
shape we're in. If I had to count the number of times I've had to prove
that an outbound access list on the external interface of a border router
doesn't impact that router's performance significantly...
We've got a protocol in front of IETF to do the host identification, we've
spent time with a *lot* of very smart people talking about anti-DDoS
methodologies. The end game is that to keep the critical infrastructure
protected, we don't need anywhere near 100% compliance (I think the figure
was around 20%, but I don't have that data here at home.)
If you harden a site against intrusions, then it becomes one less
launch point for attacks. If it became culturally unacceptable to put a
default install of anything on a network, the number of sites used to
launch any atttack would go down to the point where we could start to deal
with individuals doing malicious acts. That's far better than throwing up
our collective hands and saying we can't do anything about it, or waiting
for someone else to solve the problems for us.
> On the other hand, there's a sense in which a DDoS that prevents
> users from reaching my servers cannot knock me further down than
> zero. An actual intrusion, a compromise of sensitive medical data or
> credit card numbers or missile launch codes, has no such natural
> limit on how bad the damage can be....
Exactly- DDoS attacks don't worry me too much from a strategic
perspective, because one they stop they're over. Intrusions, especially
of infrastructure components worry me significantly more because of the
lack of boundaries on damage or malice.
I'd rather have my network off the air from one of its providers than my
leg off my body from a bad surgery scheduler.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
