Firewall Wizards mailing list archives
Re: Denial of service
From: Ted Doty <ted () iss net>
Date: Thu, 20 Aug 1998 07:20:05 -0400
At 06:46 PM 8/19/98 -0400, ICMan wrote:
Ted Doty wrote:
[snip]
If your network positively has to be up for mission critical applications, don't connect it to the Internet.
[snip]
Denial of service attacks can, for the most part, be guarded against with good "perimeter security devices" (read: Firewalls) and good security practices.
Hmmm. If BigStateU has a T3 internet connection, and they are vulnerable to the smurf attack (a broadcast ping with a spoofed source address), and if they use your internet router's IP address as the source address in the smurf, it is very likely that your internet connection will be so jammed with smurf traffic that nothing else will get through. It is also possible that your router will execute an HALT_AND_CATCH_FIRE operation, since a number of these are optimized for *forwarding* packets, rather than responding to them. If you have a T3, then the attacker just needs to find 5 or 6 other smurfable sites that have big, fat internet feeds. It's not at all clear to me what a "good perimeter security device" can do here, other than gasp out that it's under attack as it's kernel mbuff allocation heads towards infinity.
I think that your last assertion is a bit of overkill on the FUD. What is "absolutely mission critical"? Can I connect my network to the
Don't think it's FUD at all. I work at a company that plausibly would sell more stuff if you *could* really make the Internet safe for mission-critical applications.
Internet with a router "patched sufficiently to make [hacking] impossible" and then put my mission critical stuff on a private, secure WAN? CERN in Geneva provides real-time data feeds from their accellerator lab at 10Mbps to certain research groups. This is "absolutely mission critical", because the data in the stream has to be free from contamination. However, I should still be able to connect my network to the Internet if I take sufficient precautions.
If someone at CERN can be fired because they use a delivery network that can be taken down at whim by any script kiddie on the net, then it's not mission-critical by any meaningful definition. Not poking at CERN, just defining my terms. Applications that I *hope* are nowhere near the Internet include: air traffic control, railroad scheduling and switching control, process control systems running big chemical plants, [the list is nearly infinite]. This is what all the "Information Warfare" guys use to get their big budgets.
For example, I can have a really well locked down Firewall as my Internet gateway, and then also have a really tight Firewall in front of my research network. I have to take very good care to configure the Firewalls and routers correctly, and I need to make damn sure that the latest security patches are applied, but if my Internet connection goes down because someone blew my ISP away, I care very little because the data feed that is my bread and butter is coming from a different source.
Then by definition you're not running mission critical applications over the Internet. - Ted ----------------------------------------------------------------------- Ted Doty, Internet Security Systems | Phone: +1 678 443-6000 6600 Peachtree Dunwoody Road, 300 Embassy Row | Fax: +1 678 443-6479 Atlanta, GA 30328 USA | Web: http://www.iss.net ----------------------------------------------------------------------- PGP key fingerprint: 362A EAC7 9E08 1689 FD0F E625 D525 E1BE
Current thread:
- Re: Denial of service, (continued)
- Re: Denial of service Joseph S. D. Yao (Aug 18)
- Re: Denial of service Kevin T. Shivers (Aug 18)
- RE: Denial of service Tupshin Harper (Aug 18)
- Re: Denial of service Roger Nebel (Aug 19)
- RE: Denial of service Ted Doty (Aug 19)
- RE: Denial of service David C Niemi (Aug 19)
- RE: Denial of service Ted Doty (Aug 23)
- RE: Denial of service David C Niemi (Aug 23)
- RE: Denial of service Marcus J. Ranum (Aug 23)
- Re: Denial of service ICMan (Aug 19)
- Re: Denial of service Ted Doty (Aug 23)
- Re: Denial of service Gigi Sullivan (Aug 19)