Quoting Ian C. Sison ([EMAIL PROTECTED]): > 1) i believe whether its a local/remote root compromise or an IP packet > which brings down a service, it is a legitimate security issue.
I'm not saying -- and _did not say_ -- that some remote person DoSing a service isn't a serious problem. I'm just saying that DoSes should be distinguished from what we _usually_ mean by "security compromise" or "security problem". > Sometimes these DoSs are actually more harmful to service providers than > actual remote roots, as there are those cases wherein an intruder gains > super user access, and uses it to install an IRC bot or something, and > keeps the system online.. 8) I think you're confusing multiple things, here: First, you talk about a DoS, and then about a remote shell exploit yielding root. Those are different things entirely. The very _definition_ of DoS is that it is a technique to render a resource unavailable. My point is that the host itself is not compromised, meaning that recovery is much, much easier: You don't have to rebuild the host; other systems are not affected; data are not at risk. No information lossage, no data lossage. (See: http://linuxmafia.com/~rick/ids for categories of security risk and how to assess seriousness thereof.) > My point? These DoS problems are equally as disruptive remote roots and > provide yet another way by which unauthorized intrusions bring down > legitimate services. Your point is not quite right. Let me give you an example: Case 1: Someone roots my box because I'm running an antique, vulnerable BSD lpd. I notice (e.g., I look on the console and see that eth0 is suddenly running in promiscuous mode). I then have to spend the entire day rebuilding and restoring data from backup with the host off-LAN, carefully studying vulnerabilities, and making sure the host isn't still vulnerable before reconnecting it to the Net. Case 2: Someone asks me why my Web server isn't responding. I ssh in, notice no addressable Apache instances running, read the logfiles, and find that someone's knocking them down via a new DoS as quickly as they spawn. I grumble, maybe chuckle briefly, turn on Boa instead while waiting for a patch, and go back to what I was doing. #2 looks to me a _whole_ lot less disruptive. [De-dupeing:] > Cyrus imap has done a some work on that, in that it's delivery agent has a > database of already sent items, to avoid actual dups being delivered. > True, its not related to your point where the MTA actually supports it, > but at least it makes it less important feature if other software layers > can support it. ;). MDAs can, too, for that matter. -- Cheers, "Heedless of grammar, they all cried 'It's him!'" Rick Moen -- R.H. Barham, _Misadventure at Margate_ [EMAIL PROTECTED] _ Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph To leave: send "unsubscribe" in the body to [EMAIL PROTECTED] Fully Searchable Archives With Friendly Web Interface at http://marc.free.net.ph To subscribe to the Linux Newbies' List: send "subscribe" in the body to [EMAIL PROTECTED]
