You ignore all the .edu sites with compromised servers and such, all the
corporate machines that are compromised, there are tons of .gov sites that
are also insecure, and the middle mgt. corporate laptops that float in and
out of the corporate boundries weekly..
Thanks,
Ron DuFresne
On Thu, 7 Jun 2001, Cessna, Michael wrote:
> just my $0.02
> I think the burden of preventing DDOS attacks needs to be placed on the ISPs
> not on an operating system or OS manufacturer.
> Let's face it most of the PC's on the internet are Windows PC's running with
> little or no security and many of those that have security are so flimsy as
> to be non-existent. How many home pc's have you seen running File and Print
> Sharing fro Microsoft Networks! The main group of these users are Home Users
> who have little to no knowledge of what it is that their computer does. As
> far as they know they turn it on and go to a web address. These are the same
> people who think the WWW 'IS' the internet. Trying to control all of these
> machines is an almost impossible task.
> This is not a knock on Windows (I'll leave that argument alone thank you).
> If you gave these users a *NIX box we would be in the same boat, just a
> different ocean.
> Since we cannot reasonably control what is installed on every OS on the
> internet we should aim our concerns on the 'Traffic Aggregators' or ISPs.
> We must accept incoming traffic or else we can't do business on the
> internet, so we cannot constrain what we accept. Yes I know that we can
> block ip's and ports but if you are being hit by a DDOS which spoofs it's
> source then you will block a connection from the legitimate source that has
> nothing to do with the DDOS thereby DDOSing yourself.....you get the idea.
> However constraining what packets can come out of our networks should be
> done by the ISP. If you have the 192.168.1.0/24 network then the router at
> your ISP should only pass packets of a 192.168.1.0/24 source.
> Dialup ISPs normally have a bank of DHCP IP addresses that are used for
> their customers why then do they allow packets of a totally different
> network originate from inside their network? I don't know the best way to
> have the ISP community accomplish this but it is common sense that if you
> cannot control ingress than control egress.
> In all other forms of commerce the seller is, within reason, responsible for
> misuses of the services they provide. Is it not reasonable to ask that an
> ISP ensures that the packets originating on it's network are from a source
> ip on it's network?
> Sorry for the rambling but I just don't see this as a technology issue per
> se, I feel that it is a policy issue more than anything. You should know
> what originates within your control and ensure that it does not disable or
> in any way degrade the services of others. And as much as I hate regulation
> if the ISP's aren't doing anything about maybe there needs to be one.
>
> Just my rambling thoughts,
>
> Michael Cessna
> Systems Administrator
> RealTime Media
> 308 Lancaster Ave.
> Wynnewood, PA 19096
> p.610-896-9400 x308
> f.610-896-9416
> [EMAIL PROTECTED]
> www.realtimemedia.com
>
>
> -----Original Message-----
> From: Zachary Uram [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, June 07, 2001 11:53 AM
> To: Paul D. Robertson
> Cc: Ari Weisz-Koves; [EMAIL PROTECTED]
> Subject: RE: This is a must read document. It will freak you out
>
>
> On Thu, 7 Jun 2001, Paul D. Robertson wrote:
> >
> > It really isn't that big of a deal, there are already enough trojaned
> > Win9x clients out there that even using real addresses doesn't make it
> > easy to stop them.
>
> Hi Paul,
>
> So is DDoS attacks biggest security threat out there?
> It seems to be a big problem. Especially for e-commerce and data
> warehousing/management systems where uptime = $$.
> So no one has developed effective countermeasures against
> arbitrary DDoS attacks? I guess if there was a large enough
> concerted attack that some group could even overload an entire
> ISP or an Internet backbone? Do we need laws to give law
> enforcement/ISPs more power to solve this.
>
> SDG,
> Zach
>
> [EMAIL PROTECTED]
> "Blessed are those who have not seen and yet have faith." - John 20:29
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
