Re: Arbor Networks DoS defense product

[Dan Hollis <goemon () anime net>]

On 15 May 2002, Johannes B. Ullrich wrote:
> > What about scans done
> > from different networks other than that which the supposed attacker is
> > originating from.  
> Well, then these networks are marked as "attackers", which is ok. The
> can clean up their systems and enjoy full access again.

Yes. Part of such blackholing would be hoped to have a "behaviour 
modification" effect the same way that RBL does.

Many NOCs/admins are too apathetic/lazy/incompetent/toothless to do 
anything about shutting down compromised boxes/script kiddies. Blackholing 
them from the net would provide motivation. And some protection against 
those attackers.

When management can no longer download their pr0n you can damn well bet 
they will "want it fixed NOW" and will give whatever authorization 
required to do it.

Well, you get the point. :P

It's not intended to be perfect.

It's intended to make life more difficult for attackers, and to reduce 
impact of attacks at least a little bit. And motivate lazy networks to fix 
their broken shit.

-Dan
-- 
[-] Omae no subete no kichi wa ore no mono da. [-]