Firewall Wizards mailing list archives
Re: Recent Attacks
From: Crispin Cowan <crispin () wirex com>
Date: Thu, 24 Feb 2000 22:55:39 +0000
"Paul D. Robertson" wrote:
On Thu, 24 Feb 2000, Crispin Cowan wrote:Long-term there are plenty of ways to protect from DDoS attacks, and some of them will even work. It's the short- to mid-term that's the problem. However, I still think that trying to call network scanners akin to munitions when VCL isn't is lopsided. Then again, I think the idiot who put a programming language into a word processor should be shot.What long term methods would those be? I have yet to hear a convincing proposal
I'll pick on these piece-wise, to see if we can reduce to a convincing solution.
Out-of-band control channels,
This doesn't defend against DDoS attacks that are data requests instead of control packets.
end-to-end QoS,
Also won't stop attackers from flooding your pipe with requests. In fact, it may make it worse, as the attackers could spoof data requests that result in QoS bandwidth allocations to spoofed clients, further choking the server's bandwidth. QoS will have to be carefully tied to authentication, or else it just makes DDoS much worse.
traffic flow-based routing/flood control protocols,
I don't think I understand this proposal.
authenticated gatewaying and/or redirection, authenticated routing,
All the authentication schemes have two problems: * you need a global PKI that works for everyone, which is, er, problematic :-) * it does not stop an attacker from flooding a machine with packets that fail authentication. Authenicated routing moves the probelm up-stream, which only helps somewhat
slow-start egress routing,
This needs to be globally deployed to be effective. It is more or less equivalent to saying "secure all Internet nodes", because the attacker could compromise an inside node, and use it to change the egress filtering policy.
upstream artificial clocking,
I don't understand this proposal. So of the proposed solutions, I see some that won't work, some that will mitigate the solution but not solve it, and some that I don't understand (my bad). I have not yet seen a complete solution that I understand. The "I don't understand" ones are largely lack of familiarity; I haven't read the proposals that Paul is referring to. Crispin ----- Crispin Cowan, CTO, WireX Communications, Inc. http://wirex.com Free Hardened Linux Distribution: http://immunix.org JOBS! http://immunix.org/jobs.html
Current thread:
- Re: Recent Attacks, (continued)
- Re: Recent Attacks ark (Feb 21)
- Re: Recent Attacks daN. (Feb 24)
- Re: Recent Attacks David LeBlanc (Feb 23)
- Re: Recent Attacks blyonpop (Feb 23)
- Re: Recent Attacks ark (Feb 24)
- Re: Recent Attacks Paul D. Robertson (Feb 24)
- Re: Recent Attacks Matthew_S_Cramer (Feb 24)
- Re: Recent Attacks David LeBlanc (Feb 24)
- Re: Recent Attacks Darren Reed (Feb 24)
- Re: Recent Attacks Darren Reed (Feb 24)
- Re: Recent Attacks Crispin Cowan (Feb 24)
- Re: Recent Attacks Paul D. Robertson (Feb 24)
- RE: Recent Attacks David LeBlanc (Feb 24)
- Re: Recent Attacks ark (Feb 21)