On 10/3/2016 13:58, Stephen Satchell wrote:
In thinking over the last DDos involving IoT devices, I think we don't
have a good technical solution to the problem. Cutting off people with
defective devices they they don't understand, and have little control
over, is an action that makes sense, but hurts the innocent. "Hey,
Grandma, did you know your TV set is hurting the Internet?"
It's the people who foist bad stuff on the people who need to take the
responsibility. Indeed, with enough moxie, we could avoid the net
saturation problem in the first place.
My proposal, as I sent it to my US House Representative:
[much snipping]
Why not nip the IoT problem in the bud?
Why not, indeed? (Full disclosure: I am not and have not for some
years been active in management of any networks, and I AM woefully
behind the state of the arts.)
Having said that, it occurs to me that Mr. Satchell's proposal (and most
of the others I have read about here and elsewhere lately) are doomed to
the same failure as Chicago's plan for reducing illegal deaths by
firearm, and for much the same reason (discussion of which here I will
spare you.
Back in the day, I was fighting a problem that I summarized (then and
now) as trying to stop the use and abuse of the University's (that
employed me) 56kb Frame Relay link to the Internet. Then as now I
defined "abuse" as the use of our facilities for purposes that no
stretch of imagination or definition could be said to be to the
University's benefit.
Through some experimentation I concluded that there were several clearly
identifiable sources of abuse. I disremember the ordering by severity
but they included:
Outright attacks on the University and others.
Myriad "scans" for a variety of reasons.
The first of these two I remember as being the worst (in terms of
item-count AND in terms of packet-size. I also recall it being the
easiest to fix, if anybody want to fix it. (The dominant reasons given
where that it would cost money without a revenue stream, and it would
reduce traffic that WAS in the revenue stream. The fix I proposed:
Require (by law) that every service provider and every origination
customer of a service provider would under penalty of law, block the
transmission of a packet whose source address could not be reached via
the link upon which it was found.
The Myriad scans problem was a little harder (for among other
reasons--the argument that they were good for us, even though they
accounted for something like 60% of the traffic on that link). The
solution I tried but ran out of dollars on was to detect somebody
scanning and route them to the Loopback interface of the boundary router.
--
"Everybody is a genius. But if you judge a fish by
its ability to climb a tree, it will live its whole
life believing that it is stupid."
--Albert Einstein
From Larry's Cox account.
