North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: WANTED: ISPs with DDoS defense solutions

  • From: Paul Vixie
  • Date: Tue Aug 05 21:00:46 2003

> More and more there is less and less spoofing, its just not required and
> it causes more damage with less effort :( Why spoof when you have 1000
> machines pumping 1 packet per second? (or 10)

leaving the spoofing option open for future generations of attacks,
rather than having a witch-hunt and tracking down and upgrading every
insecure edge, is just about the worst thing we could do.  because
when an attacker wants an extra edge, they'll add spoofing to their
attack profile, and the core's immune system will be totally unprepared.

knowing this, and knowing that spoofing isn't actually necessary right
now, the current generation of attackers would be well advised to stop
spoofing for a while so that nobody makes any serious attempt to plug
the hole.  (and, it sounds like that strategy might already be working.)

could someone here who can write win32 apps, and someone else who can
write cocoa apps, please volunteer short executables that will try to
spoof a few packets through some well known server, and then report as
to whether the current computer/firewall/cablemodem/isp/core permitted
this or not?  isc would be happy to host the server component of this,
as long as source code for the executables is available under a bsd
style copyright, and the executables are released without any fee.

this is so the community can gather compelling evidence for the witch-hunt.
(i expect we'd have to come up with a "web button" campaign to brand isp's
who dtrt.  sort of like the old squid-era "cache now!" thing.)
-- 
Paul Vixie