On Thursday 01 December 2011, Daniel-Constantin Mierla wrote: > > IMHO also certain denial of service attacks belongs to the "security bug" > > class. If somebody can easily bring my service down because of e.g. a > > crash during the processing of misformated (network) input then the > > availability of the service can be easily compromised. > > Then flooding to fill the pipe will cause same kind of issue to > availability of the service - a bug of the infrastructure. > > As expressed in another email just sent, imo there are two categories > here: stability and security
Hi Daniel, well, there is a difference between a "simple" DDOS attack, which of course can bring every service down given a big enough attackers bandwith, and a crash on single invalid (SIP, SSL setup etc..) message which is IMHO clearly a vulnerarbility. The "classical" information security definition is CIA - confidentiality, integrity and availability. A break in due a software bug would be a breach of integrity, the discussed crash would affect the availability and e.g. a wrong usage of TLS that causes missing encryption in messages would be breach of the confidentially. http://en.wikipedia.org/wiki/Information_security But you're right, i guess the right person to make this descision is the one that will work on this stuff in the end.. Best regards, Henning _______________________________________________ sr-dev mailing list [email protected] http://lists.sip-router.org/cgi-bin/mailman/listinfo/sr-dev
