nanog mailing list archives
Re: Counter DoS
From: Rachael Treu <rara () navigo com>
Date: Thu, 11 Mar 2004 15:30:56 -0600
On Thu, Mar 11, 2004 at 03:21:29AM -0500, Brian Bruns said something to the effect of:
On Thursday, March 11, 2004 3:05 AM [EST], Brian Bruns <bruns () 2mbit com> wrote:
..snip snip..
How the hell could a company put something like this out, and expect not to get themselves sued to the moon and back when it fires a shot at an innocent party?
Caution: 'innocent' is not the buzzword here. Subscribers: check your respective AUPs. You will likely find explicit prohibition of any malicious and generally unsolicited traffic generated by a node in your control, and I don't think that self-defense has an extenuation clause or special case appendix therein. You attack an attacker, he, too, can pursue you legally. There are not provisions made for DoS-ing a DoS-er. Vigilante nonsense is discouraged.
..snip snip..>
Whats going to happen when they find a nice little exploit in these buggers (even if they have anti-spoof stuff in them) that allows the kids to take control of them or trick them into attacking innocents? Instead of thousands of DDoS drones on DSL and cable modems, you'll see kids with hundreds of these 'nuclear stike firewalls' on T1s, T3s, and higher, using them like they use the current trojans?
This won't even require a exploit to effect. These boxes can likely be used to do the bidding of miscreants with some simply-crafted packets and source spoofing. This thing could become something akin to a smurf amp with a big-time attitude problem. Anti-spoof rules will afford a modicum of reverse-path protection, but not enough to swat away the majority of inbound crafted traffic. This stupid PoS appliance would have to be installed and widely-deployed provider-side to discern on such a level. This would become the stuff of yet-another-botnet.
No product is 100% secure (especially not something that runs under Windows, but thats another issue), so how are they going to deliver updates?
This is the least of their concerns; update management is already done effectively and easily by most IDS, anti-virii, and other signature-based appliance manufacturers. Snakeoil salesmen offer at the most basic a valid means of distributing updates, even.
Or make sure that the thing is configured right?
Now _that_ is a real problem. Given that no one has beaten the creators with the illustrious clue stick and anyone who'd truly subscribe to this thing is likely mis-wired him/herself, I would guess that poor configuration is an engineering cornerstone on which this entire debacle desperately depends. Flog the scoundrels. ymmv, --ra -- k. rachael treu, CISSP rara () navigo com ..quis costodiet ipsos custodes?..
I could see blacklists (BGP based) cropping up of these systems, so that you can filter these networks from ever being able to come near your network. This is starting to sound more and more like a nuclear arms race - on one side we have company a, on the other company b. Company A fears that B will attack it, so they get this super dooper nuclear strike system. Company B follows suit and sets one up as well. Both then increase their bandwidth, outdoing the other until finally, script kiddie comes along, and spoofs a packet from A to B, and B attacks A, and A responds with its own attack. ISPs hosting the companies fall flat on their face from the attack, the backbone between the two ISPs gets lagged to death, and stuff starts griding to a halt for others caught in the crossfire. So, and who thinks that this is a good idea? :) -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org The Abusive Hosts Blocking List http://www.ahbl.org
Current thread:
- RE: Counter DoS, (continued)
- RE: Counter DoS Mark Borchers (Mar 10)
- RE: Counter DoS Christopher L. Morrow (Mar 10)
- RE: Counter DoS Mark Borchers (Mar 10)
- Re: Counter DoS Baldwin, James (Mar 11)
- Re: Counter DoS Sean Donelan (Mar 11)
- Re: Counter DoS Brandon Butterworth (Mar 11)
- Re: Counter DoS Hank Nussbacher (Mar 11)
- RE: Counter DoS Pendergrass, Greg (Mar 11)
- Re: Counter DoS Etaoin Shrdlu (Mar 11)
- RE: Counter DoS Michael . Dillon (Mar 11)
- RE: Counter DoS Pendergrass, Greg (Mar 11)
- Re: Counter DoS Rachael Treu (Mar 11)
- RE: Counter DoS Drew Weaver (Mar 11)
- Re: Counter DoS Gregory Taylor (Mar 11)
- New Solution: (was: Re: Counter DoS) Deepak Jain (Mar 11)
- Re: New Solution: (was: Re: Counter DoS) Barney Wolff (Mar 11)
- Re: New Solution: (was: Re: Counter DoS) James (Mar 11)
- Re: Counter DoS Gregory Taylor (Mar 11)
- RE: Counter DoS Priscilla Oppenheimer (Mar 11)
- Re: Counter DoS Eric Kuhnke (Mar 11)