Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: DDOS Countermeasures RFC

From: "daN." <dan () nesmail com>
Date: Wed, 31 Jan 2001 11:52:21 -0800
At 06:19 PM 1/29/01 -0700, Ryan Russell wrote:


No, not really.  There are technical countermeasures to solve the
problem.  People just won't implement them until they have to.  To take a
page from your book... legislate that it's illegal to allow spoofed
packets off your net if you're an ISP, school, etc.. and that's illegal to
peer with other ISPs who don't follow the same guidelines (keeps those
countries in line that won't comply with US laws.  The nerve.)  Make the
punishments really harsh, like any network admin who doesn't comply gets
his/her house seized.
Stuff like this really worries me, what if someone roots your router and allows these packets through, what if your router is missconfigured ( Most sysadmins I know are a WAY overworked, and when you are that busy you sometimes miss things) what if there are equipment malfunctions? what if the sysadmin was dumb and didn't know how? what if they are outside the jurisdiction of the united states (despite what some people like to think, the US doesn't own the Internet), so if the only ISP in a foreign country won't abide by these policies do you cut them off the net? It probably wont happen. And you could say well at least you know whos breaking the rules so you know who your target is....well so? who says they are targeting you? And even if they where you couldn't do anything about it until they actually DID something and at that point you would either detect it or you would miss it which would be the same thing as if you never had the target in the first place. 


Or, perhaps just get Cisco to add an interface statement "leaf-subnet"
that is on by default, which prevents spoofing into that interface.
This would probably work alot better than any other solution, but of course the problem with something like this from Ciscos point of view is going to be that they will get a million and one support calls asking why won't my router route this right? So of course it will never happen...
People will only put up with so much security before they will start either blatantly misusing it or going somewhere else. 

daN.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: