* Cessna, Michael sez:
: I think the burden of preventing DDOS attacks needs to be placed on the ISPs
: not on an operating system or OS manufacturer.
As a sentence alone, this is wrong, IMHO. DoS lives through three
entities: Originatiors, Transit, Destination. Building OSes that easily
serve as Senders (yes, that's true for most OSes), running a server on
the 'net without doing the needed homework, etc. is about as bad as
doing nothing againts being the Transit for DoS. How long did it take
until ISPs and Corporations understood that being a Smurf-Reflektor not
only hurts the recipient but also their routers?
: Let's face it most of the PC's on the internet are Windows PC's running with
: little or no security and many of those that have security are so flimsy as
: to be non-existent. How many home pc's have you seen running File and Print
: Sharing fro Microsoft Networks! The main group of these users are Home Users
As an analogy, you'd let people drive cars without a license and have
the state/government/county/whatever build high walls and protective
suits for those who could get hurt?
Another analogy, I personally like, is the question if you'd let your
gun lie around at a bar? Sure, you're a hunter and need a gun to hunt
game, but thet guy over there might as well grab it and kill the
waitress. I don't think there's a place on earth (except Texas, of
course) where the gun-owner would not get into big trouble also.
It's about as much hassle to buy a gun and ammo as it is to buy a
computer and hook it onto the net. DoS attacks can cost lives, one of
the latest ones I saw was targeted at an IRC server but actually took
out the Center for Organ Transplan Coordination.
: people who think the WWW 'IS' the internet. Trying to control all of
: these machines is an almost impossible task.
Icapacitation and deterration is the key to successful law making.
Unless ISPs are willing to kick users who actively or through gross
negilgence contribute to DoS attacks, unless local county sherriffs know
what a DoS attack is and unless we all are willing to accept Null-Routes
against ISPs and ASPs who actively or through gross negigence support
DoS, DoS will be a part of the 'net.
DoS happens for all the same reasons any other crime happens. No matter
if it's a power assurance thing, a power re-assurance thing, some kind
of vendetta (hey, those fxxxers K-Lined me and my friends on their IRC
server) or for the same reasons your friendly neighborhood Crib shoots
at you with his new .40 - DoS will happen.
: Since we cannot reasonably control what is installed on every OS on
: the internet we should aim our concerns on the 'Traffic Aggregators'
: or ISPs.
It is not "our" problem to control. It's one of these 'everyone'
thingies. I still believe that with the first computer you put on the
'net you take on responsibilities for the 'net.
There are choices out there. You can hire someone for less than $30k to
do a complete assessment of your systems and policies. That's about one
tenth of what the first successful DoS using your systems as
transponders or sources will cost you.
: We must accept incoming traffic or else we can't do business on the
: internet, so we cannot constrain what we accept. Yes I know that we can
: block ip's and ports but if you are being hit by a DDOS which spoofs it's
: source then you will block a connection from the legitimate source that has
Rate limiting on the ISPs routers will protect you even from dDoS
resonably well. And if the ISP is worth his money, he'll remain unfaced
by such an attack himself.
: In all other forms of commerce the seller is, within reason, responsible for
: misuses of the services they provide. Is it not reasonable to ask that an
: ISP ensures that the packets originating on it's network are from a source
: ip on it's network?
Definitely, but that won't help you against some kiddo '0wnZ1ng' 50
servers and generating perfectly legal traffic.
: se, I feel that it is a policy issue more than anything. You should know
100% aggreed.
: what originates within your control and ensure that it does not disable or
: in any way degrade the services of others. And as much as I hate regulation
: if the ISP's aren't doing anything about maybe there needs to be one.
Again, 100% aggreed. We shall just not forget that the ISP is not the
only one who has to react.
PGP signature
