On Thu, 7 Jun 2001 dgillett@deepforest.org wrote: > Stopping intrusions *on every host in the wild* should prevent > their being used as DDoS zombies. It wouldn't prevent them being > used as smurfs -- you have to prevent source spoofing for that. If smurfs were the biggest problem we had, we'd be in a much better place. ISPs can enforce leaf-node filtering requirements if they had to, so that's actually an easier to solve problem in the long run. Smuf amplifiers are fortunately easier to stop, and Cisco's defaulting to no ip directed broadcast helps significantly. > Given that none of us, as far as I know, is in a position to fix > every host in the wild, then if I harden a site against intrusions, > does it become immune to DDoSes? NO, because the DDoS that takes my > site off the air may be targetted at something I don't control: ISP > routers, DNS root servers, Akamai cache servers, etc. > It's not obvious to me that defending against intrusions does > anything to protect me from DDoSes. (Okay, folks -- I'm setting > myself up to learn something here. Teach me the error of my ways.) If we all take the individual stance, then no, but if everyone hardened, then the aggragate hardening would ensure that DDoS attacks weren't easy to mount, and that at least critical resources at high-bandwidth multihomed locations (like the root servers) wouldn't be as vulnerable to attack. As long as everyone is only worried about themselves, and nobody does things like egress filter rules to stop spoofing (after all, that only really helps your neighbors, right?) then we'll continue to be in the shape we're in. If I had to count the number of times I've had to prove that an outbound access list on the external interface of a border router doesn't impact that router's performance significantly... We've got a protocol in front of IETF to do the host identification, we've spent time with a *lot* of very smart people talking about anti-DDoS methodologies. The end game is that to keep the critical infrastructure protected, we don't need anywhere near 100% compliance (I think the figure was around 20%, but I don't have that data here at home.) If you harden a site against intrusions, then it becomes one less launch point for attacks. If it became culturally unacceptable to put a default install of anything on a network, the number of sites used to launch any atttack would go down to the point where we could start to deal with individuals doing malicious acts. That's far better than throwing up our collective hands and saying we can't do anything about it, or waiting for someone else to solve the problems for us. > On the other hand, there's a sense in which a DDoS that prevents > users from reaching my servers cannot knock me further down than > zero. An actual intrusion, a compromise of sensitive medical data or > credit card numbers or missile launch codes, has no such natural > limit on how bad the damage can be.... Exactly- DDoS attacks don't worry me too much from a strategic perspective, because one they stop they're over. Intrusions, especially of infrastructure components worry me significantly more because of the lack of boundaries on damage or malice. I'd rather have my network off the air from one of its providers than my leg off my body from a bad surgery scheduler. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts@patriot.net which may have no basis whatsoever in fact." - [To unsubscribe, send mail to majordomo@lists.gnac.net with "unsubscribe firewalls" in the body of the message.]