RE: SANS Flash: Urgent Request For Help In Stopping DOS Attacks

[Rick Smith <rick_smith () securecomputing com>]

At 10:01 AM 04/13/2000 -0700, Mark.Teicher () predictive com wrote:
> I really don't think security forethought would have prevented today's 
> Internet from evolving, but it may have slowed it down to and hopefully 
> prevent the onslaught of security vulnerabilities that is ravaging the 
> country side and vendors.

I agree that security forethought is a good thing. I just want to point out
that things weren't much better in the good old days. Also, let's recognize
that there *was* some security forethought, it's just that the Internet
world took different turns than people expected.

Take a look at how TCP establishes a connection, and the whole dance it
does with SYN/ACK and with sequence numbers. This design is supposed to
resist attempts to spoof source addresses. I remember one of the designers
once related a phone conversation with someone at NSA who wouldn't say how
big the sequence number space should be to resist attack (the Optimal
Answer was no doubt classified), but allowed him to play Twenty Questions
until he zeroed in on an acceptable number.

I should also point out one place where Mark Teicher's Arpanet nostalgia
might be right on: TCP was designed as an efficient replacement for two
older protocols, NCP and ICP, which exchanged a half-dozen messages to
establish a single bidirectional connection. I think of that when I see
discussions of protocols to detect SYN flood messages by exchanging
additional messages containing nonces or something. (I'm not really
suggesting we go back to NCP and ICP -- they had some nasty problems -- but
we seem to be talking about returning to a more lengthy and elaborate
connection protocol).

> Developers, Programmers and other Engineers knew about buffer overflows, 
> poorly written protocols, etc. 

Agreed. This is one of the two major causes of today's security problems.
But' I'm afraid we'll have to develop a significant body count (people
*dying* from software quality failures) before non-experts really take this
seriously. Most people see buggy software from Microsoft and other vendors
as more of a joke than a potential disaster. And proposed changes to the
Uniform Commercial Code will largely absolve vendors from legal liability
for software flaws. Progress of the wrong sort.

The other cause is that the threat environment itself is changing as time
goes by. Engineers build systems to operate in a particular environment,
based on their limited foreknowledge of how the system might be used. Users
tend to find incredibly "creative" ways of using systems, especially
flexible ones like the Internet protocol suite. The mere fact that the
Internet is being used for commercial transactions opens it up to a level
of attack that many designers and developers didn't seriously consider 15
years ago. Then you have the fact that integrators and end users will use
the mechanisms themselves in astonishing ways, like running NFS across a
public Internet link, or using e-mail to host a tunneling protocol.

One of those pithy quotes I need to track down some day was some fictional
football player's announcement after a game: "What could have happened, DID."

Rick.
smith () securecomputing com