|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: WANTED: ISPs with DDoS defense solutions
On Mon, Aug 04, 2003 at 05:28:07PM -0400, [email protected] wrote: > > > I'm all for raising the bar on attackers and having end networks implement > > proper source filtering, but even with that 1000 nt machines pinging 2 > > packet per second is still enough to destroy a T1 customer, and likely > > with 1500 byte packets a T3 customer as well. You can't stop this without > > addressing the host security problem... > > Do you believe backbone networks should do nothing? I'm not sure what you are saying here, backbones do do something, the problem is that it's easy to fill up a T1. *really* easy. Just grab a few smurf amps and you can do it in a few seconds if you can send spoofed traffic. Or compromise a machine in a colo and type ping -f <foo> The backbones can't do much about this as if someone is within their burstable bandwidth (or purchased), how are they to know that this traffic is not legitimate. There will always be "i've got bigger pipes than you" issues such as this. So, you need to have hosts (and routers) to be secured such that they can't be compromised. the *nix installations have been moving towards this over time. Note that RedHat no longer allows inbound connections by default in rh9 on anything, they use iptables to drop all this traffic. Much different than the 3.0.3 days where you got your INN server, mars-nwe, etc.. all installed so you had a whole plethora of things that could be compromised as compared to now. the *BSD unices have also been securing themselves slowly over time as well, bind and sendmail no longer run as root very long in their default configurations (other than to bind to the ports), and there are other limitations that are being added as well. I won't speak for Washington State based companies and their default security profiles and what (little) has been done to shift those during the same timeframe.. I'm just hoping that people do change the mentality as follows: You have to know how to turn the service on to open the ports. This tends to mean that you know what you're doing in the first place, or have done it on purpose and (might) have an idea of the security implications of enabling such a service. While this may not hold true, it does possibly shift some of the liability onto the end-user. You enabled it, you got rooted via it, you should know to keep updated. This also means that if you don't do anything, you by default are not listening on ports 135-139,445, etc.. to get compromised, winpopup spam, etc.. it would allow the enterprise people to also enable things as necessary when they do their default template installs as well.. and everyone becomes happy. - jared -- Jared Mauch | pgp key available via finger from [email protected] clue++; | http://puck.nether.net/~jared/ My statements are only mine.
|