nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: New Denial of Service Attack on Panix

From: Paul Ferguson <pferguso () cisco com>
Date: Thu, 03 Oct 1996 06:32:51 -0400
At 11:52 PM 10/2/96 -0400, Dima Volodin wrote:



I.e. a single compromised host in the "permitted prefix filter range"
can cause as much trouble as the current attacks. Granted, it's a bit
easier to track down a host like this, but eliminating the majority of
compromisable hosts is even more difficult than global implementation of
the cited document. The bitter irony is that non-implementation of this
draft will most probably corelate with presence of compromisable hosts.




Well, that's true, but it's a different facet of the same problem.
The draft only attempts to solve what it is that we can solve be
ingress filtering. Solutions using firewalls or proxy devices which
defat this type of attack are a Good Thing, but if everyone does
ingress filtering, a large percentage of this problem disappear.

- paul


Thus host-(and firewall-)based solutions are at least as important as
the ingress filtering.

As of the evidence of these attacks - they were evident long before the
current talking.

Dima


- - - - - - - - - - - - - - - - -
Previous By Date Next
Previous By Thread Next

Current thread: