North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Packet anonymity is the problem?
On Apr 10, 2004, at 10:48 PM, Sean Donelan wrote: If you connect a dialup modem to the public switched telephone network, doIs IP really more insecure than, say, *nix? Back in the days of open mail relays and telnet and guest accounts and anonymous FTP sites, etc., hosts were at least as insecure as the "network" is today. Filtering source addresses is analogous to turning off telnet or applying TCP wrappers on a host. No one seems to think that securing your host is a bad idea, but securing your network seems to be way too much trouble. Of course, the analogy only goes so far. Filtering source addresses costs you time & effort, and maybe even hardware if you are running old boxes. Not filtering doesn't really do much until someone launches an attack from your network and you might not even notice that. Leaving telnet running on your host hurts you directly, so that is not even considered. Point is IP is not "inherently insecure". IP is just a transport mechanism. How you configure it, and what you do with it, is up to you. [...]I've always liked that Bellovin guy. :) Another note: Today's attacks tend to not spoof source addresses. What's a few 10s of 1000s of zombies here or there? Let them be caught, not worth the time to put in source spoofing code. Easier to just make them spew massive bits as fast as they can. Shouldn't we concentrate on the problem (hosts), not the transport? -- TTFN, patrick
|