North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Counter DoS
On Thu, Mar 11, 2004 at 03:21:29AM -0500, Brian Bruns said something to the effect of: > > On Thursday, March 11, 2004 3:05 AM [EST], Brian Bruns <[email protected]> > wrote: ..snip snip.. > > How the hell could a company put something like this out, and expect not to > > get themselves sued to the moon and back when it fires a shot at an innocent > > party? Caution: 'innocent' is not the buzzword here. Subscribers: check your respective AUPs. You will likely find explicit prohibition of any malicious and generally unsolicited traffic generated by a node in your control, and I don't think that self-defense has an extenuation clause or special case appendix therein. You attack an attacker, he, too, can pursue you legally. There are not provisions made for DoS-ing a DoS-er. Vigilante nonsense is discouraged. > ..snip snip..> > Whats going to happen when they find a nice little exploit in these buggers > (even if they have anti-spoof stuff in them) that allows the kids to take > control of them or trick them into attacking innocents? Instead of thousands > of DDoS drones on DSL and cable modems, you'll see kids with hundreds of these > 'nuclear stike firewalls' on T1s, T3s, and higher, using them like they use > the current trojans? This won't even require a exploit to effect. These boxes can likely be used to do the bidding of miscreants with some simply-crafted packets and source spoofing. This thing could become something akin to a smurf amp with a big-time attitude problem. Anti-spoof rules will afford a modicum of reverse-path protection, but not enough to swat away the majority of inbound crafted traffic. This stupid PoS appliance would have to be installed and widely-deployed provider-side to discern on such a level. This would become the stuff of yet-another-botnet. > > No product is 100% secure (especially not something that runs under Windows, > but thats another issue), so how are they going to deliver updates? This is the least of their concerns; update management is already done effectively and easily by most IDS, anti-virii, and other signature-based appliance manufacturers. Snakeoil salesmen offer at the most basic a valid means of distributing updates, even. > Or make sure that the thing is configured right? Now _that_ is a real problem. Given that no one has beaten the creators with the illustrious clue stick and anyone who'd truly subscribe to this thing is likely mis-wired him/herself, I would guess that poor configuration is an engineering cornerstone on which this entire debacle desperately depends. Flog the scoundrels. ymmv, --ra -- k. rachael treu, CISSP [email protected] ..quis costodiet ipsos custodes?.. > I could see blacklists (BGP based) > cropping up of these systems, so that you can filter these networks from ever > being able to come near your network. > > This is starting to sound more and more like a nuclear arms race - on one side > we have company a, on the other company b. Company A fears that B will attack > it, so they get this super dooper nuclear strike system. Company B follows > suit and sets one up as well. Both then increase their bandwidth, outdoing > the other until finally, script kiddie comes along, and spoofs a packet from A > to B, and B attacks A, and A responds with its own attack. ISPs hosting the > companies fall flat on their face from the attack, the backbone between the > two ISPs gets lagged to death, and stuff starts griding to a halt for others > caught in the crossfire. > > So, and who thinks that this is a good idea? :) > -- > Brian Bruns > The Summit Open Source Development Group > Open Solutions For A Closed World / Anti-Spam Resources > http://www.sosdg.org > > The Abusive Hosts Blocking List > http://www.ahbl.org
|