On 7 Jun 2001, at 11:52, Zachary Uram wrote:
> On Thu, 7 Jun 2001, Paul D. Robertson wrote:
> >
> > It really isn't that big of a deal, there are already enough trojaned
> > Win9x clients out there that even using real addresses doesn't make it
> > easy to stop them.
>
> Hi Paul,
>
> So is DDoS attacks biggest security threat out there?
> It seems to be a big problem. Especially for e-commerce and data
> warehousing/management systems where uptime = $$.
> So no one has developed effective countermeasures against
> arbitrary DDoS attacks? I guess if there was a large enough
> concerted attack that some group could even overload an entire
> ISP or an Internet backbone? Do we need laws to give law
> enforcement/ISPs more power to solve this.
I don't think so. ISPs own their networks, and through their AUPs
(Acceptible Use Policies) can dictate what user machines are and are
not allowed to send.
But to install firewalls (in the general sense of "policy
enforcement devices", whether these are actual boxes or just router
ACLs) at every customer access point would be hideously *expensive*.
And while a private/closed network (AOL is perhaps the closest
thing to a successful/surviving one of these serving individual
users) can impose policies like "we allow only the following
traffic", most ISPs are still stuck in the "we allow everything until
forced to block it" stance.
They have the "power" (authority) they need; in their current
model/stance, they can't afford to *use* it.
(Converse argument: Prodigy got into hot water because they chose
to filter content -- once they started blocking offensive content,
people (lawyers...) saw them as (at least potentially) liable for
anything they *didn't* block. This may also tend to dissuade ISPs
from "solving" this.)
David Gillett
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
