Re: WANTED: ISPs with DDoS defense solutions

[Vadim Antonov <avg () kotovnik com>]

On Sat, 2 Aug 2003, Doug Hughes wrote:

> > Besides, firewalls only protect against outsiders, whereas most damaging
> > attacks are from insiders.                                 ^^^^^^^^^^^^^
>   ^^^^^^^^^^^^^^^^^^^^^^^^^
> Do you have current data to support this? I believe this may have been
> true 5 years ago but is no longer true.

No, just my experience from working for the last 4 years in the security
field (banking, insurance, government & US Army :)

> Is this a case of distinguishing damaging vs non-damaging?

Yes.  External attacks are mostly show-offs by kids.  Insiders intend to
do damage - that's the whole point of those attacks.

> At my company,
> all recent attacks that I'm aware of have been from outside. Even if
> I allow for the fact that I'm not aware of all attacks 

Internal attacks are rarely ever discovered because attackers have benefit
of knowledge of the actual systems and can plan the execution, not just
improvise (and trip detectors).  Besides, intrusion detectors are mostly
designed to detect footprints of the external attackers.

> ... the mere volume of ones that I'm aware of would stand as
> counterpoint to the assertion that most damaging attacks are from
> insiders. Certainly, insiders have the 'potential' to generate the
> most damaging attacks with greatest ease, but I'm not sure that
> establishes a causal relationship with occurrence.

You are right that it does not; I'm afraid nobody has real figures because
these kinds of attacks are rarely reported even if discovered.

BTW, taking an unauthorized copy of company's sources when leaving company
IS an attack...  how common is that?

> Certainly the volume of attacks is strongly disproportional towards
> the outsider. 

Yep. Automated scanning lets attackers to pick easy targets; thouse
attacks are rarely targeted.

--vadim