|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical RE: WANTED: ISPs with DDoS defense solutions
Paul Vixie said: lots of late night pondering tonight. the anti-nat anti-firewall pure-end-to-end crowd has always argued in favour of "every host for itself" but in a world with a hundred million unmanaged but reprogrammable devices is that really practical? if *all* dsl and cablemodem plants firewalled inbound SYN packets and/or only permitted inbound UDP in direct response to prior valid outbound UDP, would rob really have seen a ~140Khost botnet this year? -- ----- YEAH but if I wanted to do it, the best way would be behind the firewall... They would have to put in PIX 535 with GIGE and segment the network into DMZs.. HMM.. I think that if the cable modem had a built in router with NAT this problem could be solved partially.. I did a test about 6 months ago. almost a honeypot, but not quite. put a standard windows ME system on a RW IP put a $60 cable router in front of a similiar system. the ME was compromised and made into a Bot in 3 hours. The $60 router protected one was not compromised in the 2 weeks it was used. Both had AV and were updated daily via automation. IF only cable operators would at least STRESS the security issues OR make the AUP's Stick.. Some of you may have seen my emails asking for help from Charter about security issues. It took me almost 4 months to get someones attention, and then only after I brought up several ARIN and other policies they violated. I hate to say it but I don't think we will see anything change here.. And if so not enough to matter.... maybe from 140K to 120K anyway I am ranting... J
|