Firewall Wizards mailing list archives
Re: DDOS Countermeasures RFC
From: "daN." <dan () nesmail com>
Date: Wed, 31 Jan 2001 11:52:21 -0800
At 06:19 PM 1/29/01 -0700, Ryan Russell wrote:
Stuff like this really worries me, what if someone roots your router and allows these packets through, what if your router is missconfigured ( Most sysadmins I know are a WAY overworked, and when you are that busy you sometimes miss things) what if there are equipment malfunctions? what if the sysadmin was dumb and didn't know how? what if they are outside the jurisdiction of the united states (despite what some people like to think, the US doesn't own the Internet), so if the only ISP in a foreign country won't abide by these policies do you cut them off the net? It probably wont happen. And you could say well at least you know whos breaking the rules so you know who your target is....well so? who says they are targeting you? And even if they where you couldn't do anything about it until they actually DID something and at that point you would either detect it or you would miss it which would be the same thing as if you never had the target in the first place.No, not really. There are technical countermeasures to solve the problem. People just won't implement them until they have to. To take a page from your book... legislate that it's illegal to allow spoofed packets off your net if you're an ISP, school, etc.. and that's illegal to peer with other ISPs who don't follow the same guidelines (keeps those countries in line that won't comply with US laws. The nerve.) Make the punishments really harsh, like any network admin who doesn't comply gets his/her house seized.
Or, perhaps just get Cisco to add an interface statement "leaf-subnet" that is on by default, which prevents spoofing into that interface.
This would probably work alot better than any other solution, but of course the problem with something like this from Ciscos point of view is going to be that they will get a million and one support calls asking why won't my router route this right? So of course it will never happen...
People will only put up with so much security before they will start either blatantly misusing it or going somewhere else.
daN. _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: DDOS Countermeasures RFC Ryan Russell (Jan 31)
- <Possible follow-ups>
- Re: DDOS Countermeasures RFC Gary Flynn (Jan 31)
- Re: DDOS Countermeasures RFC Ryan Russell (Jan 31)
- RE: DDOS Countermeasures RFC jan (Jan 31)
- Re: DDOS Countermeasures RFC Ryan Russell (Jan 31)
- Re: DDOS Countermeasures RFC TC Wolsey (Feb 03)
- Re: DDOS Countermeasures RFC jan (Jan 31)
- Re: DDOS Countermeasures RFC daN. (Jan 31)
- RE: DDOS Countermeasures RFC Ryan Russell (Jan 31)