North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: WANTED: ISPs with DDoS defense solutions

  • From: McBurnett, Jim
  • Date: Thu Jul 31 17:59:03 2003

Paul Vixie said:

lots of late night pondering tonight.

the anti-nat anti-firewall pure-end-to-end crowd has always argued in
favour of "every host for itself" but in a world with a hundred million
unmanaged but reprogrammable devices is that really practical?

if *all* dsl and cablemodem plants firewalled inbound SYN packets and/or
only permitted inbound UDP in direct response to prior valid outbound UDP,
would rob really have seen a ~140Khost botnet this year?
----- YEAH but if I wanted to do it, the best way would be behind the firewall...
They would have to put in PIX 535 with GIGE and segment the network into DMZs..

HMM.. I think that if the cable modem had a built in router with NAT
this problem could be solved partially..
I did a test about 6 months ago. almost a honeypot, but not quite.
put a standard windows ME system on a RW IP
put a $60 cable router in front of a similiar system.
the ME was compromised and made into a Bot in 3 hours.
The $60 router protected one was not compromised in the
2 weeks it was used.

Both had AV and were updated daily via automation.

IF only cable operators would at least STRESS the security 
issues OR make the AUP's Stick..

Some of you may have seen my emails asking for help from 
Charter about security issues.
It took me almost 4 months to get someones attention, 
and then only after I brought up several ARIN and other 
policies they violated.

I hate to say it but I don't think we will see anything change here..
And if so not enough to matter....
maybe from 140K to 120K

anyway I am ranting...