On Jul 17, 2017 3:42 AM, "Roland Dobbins" <rdobb...@arbor.net> wrote:
On 15 Jul 2017, at 3:40, Watson Ladd wrote: DDoS mitigation can be done at endpoints > Not at scale. That's why it isn't done that way. I'm all in favor of things like mod_security. But they can't do the heavy lifting on boxes which are already burdened by handling legitimate traffic. If you want to detect unauthorized access to a resource, having the > resource which > determines access anyway log that is enough. This is incorrect. How do you detect unauthorized access separate from knowing what authorization is? Exfiltration detection based on looking for sensitive identifiers doesn't > work: > Yes, it does. I know, because I've done it. real attackers will encrypt the data and dribble it out slowly or pretend > to be videoconferencing. > Believe me, real attackers do all kinds of things - and the most common exfiltration mechanism is to try and get lost in the http/s crowd. Yes, but you'll rot13 or rot 128 the file first. Why wouldn't you? As for attack surface why is "Press here to get plaintex of everything" not > a major, major increase in attackability? > Because these are intranet-only systems on isolated management networks with strong access controls. And the endpoints taking logs won't be? Which DDoS attacks specifically? > Among others, application-layer DDoS attacks within the cryptostream. Applications can rate-limited their own endpoints. You're telling me a dedicated out of stream box can handle this but a beefy server cannot? And if the traffic isn't hitting endpoints, does it matter? > Of course it matters. I've not personally had the pleasure of doing this, but I know it is possible because it is done every day. Finally, most software can export the secrets from TLS connections to a > file. > Logs are context-free and in no wise have the same value as being able to see the interactive traffic on the network in real-time. The capacity being asked for already exists. > Yes - and now folks are talking about arbitrarily taking this capability away without understanding its criticality to network operations, troubleshooting, and security. No one is taking away the ability to log the PMS to a file. That's the capacity which exists now. The fact that we're even having this discussion at this point in time is because of an astounding lack of due diligence on the part of those who are pushing to remove the capability to monitor standards-based encrypted traffic on intranets. Alternatively it's because you've decided to run your networks in ways very different from the public internet and used this as a way to avoid organizational battles over giving operations the tools they need to work. ----------------------------------- Roland Dobbins <rdobb...@arbor.net>
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
