|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: syn attack and source routing
John Hawkinson <[email protected]> wrote: >I doubt it. As I said, anyone who's affected can cure themselves. Some people do not wait to be affected. > Lately I feel like I'm the single person on the planet who actually > uses LSRR for stuff. I do use loose source telnet on the average > of once a week... Really? What for? How is it more useful than recursive telnetting? > Why not to implement something saner like traceroute servers? >You go implement your traceroute servers everywhere I need them >and THEN come back and ask me to shut it off and I'll consider it. I can implement traceroute server in my software, not a big deal. I can't force others to do so. We need a "rough whatever" to actually get rid of the kludge. >I'm not convinced it makes more sense. As I said to smd in response to >his similar comments, the beauty of the current traceroute is that >it's hard for idiots to turn it off. Very few other solutions have >this wonderful property. The beauty of MS-DOS was that no stupid os was meddling with its stupid memory protection with really smart programs which wanted to play with hardware as they wish (and yes, it was hard for idiots to forget a login password, as there was none). The result is well known. The most popular O.S. on the planet does not have any security to speak of; and half of circuitry in the most popular hardware platform is devoted to backwards compatibility to ensure that those programs will still work (not that it succeeds in that particularly well). And, yeah, hundreds of thousands of people are happily employed making those smart programs to work together. Or did you forget the last time you patched CONFIG.SYS? Can we do without that rite of passage? Sorry, the way traceroute works now is a horrible kludge. It makes network less safe than it can be. It is not reliable (what happens if the UDP port is in use?) Trivial packet filtering screws it up. It breaks down in case of load balancing over multiple paths. It does not provide much useful information (for example, the ICMP TRACEROUTE could return precise timestamps, link utilization stats and names of igress and egress interfaces). There's a lot of room for improvement. The way to fix that is not to disable it now, but rather to make people to agree that there's a problem, and that the problem needs to be fixed. There are several ways to fix it. --vadim - - - - - - - - - - - - - - - - -
|