Home page logo
/

nanog logo nanog mailing list archives

Re: WANTED: ISPs with DDoS defense solutions
From: Jared Mauch <jared () puck Nether net>
Date: Mon, 4 Aug 2003 17:45:26 -0400


On Mon, Aug 04, 2003 at 05:28:07PM -0400, bdragon () gweep net wrote:

I'm all for raising the bar on attackers and having end networks implement
proper source filtering, but even with that 1000 nt machines pinging 2
packet per second is still enough to destroy a T1 customer, and likely
with 1500 byte packets a T3 customer as well. You can't stop this without
addressing the host security problem...

Do you believe backbone networks should do nothing?

        I'm not sure what you are saying here, backbones do do
something, the problem is that it's easy to fill up a T1.  *really* easy.

        Just grab a few smurf amps and you can do it in a few seconds
if you can send spoofed traffic.

        Or compromise a machine in a colo and type ping -f <foo>

        The backbones can't do much about this as if someone is within
their burstable bandwidth (or purchased), how are they to know that this
traffic is not legitimate.  There will always be "i've got bigger pipes
than you" issues such as this.

        So, you need to have hosts (and routers) to be secured such
that they can't be compromised.  the *nix installations have been
moving towards this over time.  Note that RedHat no longer allows
inbound connections by default in rh9 on anything, they use iptables
to drop all this traffic.  Much different than the 3.0.3 days where
you got your INN server, mars-nwe, etc.. all installed so you had
a whole plethora of things that could be compromised as compared to
now.

        the *BSD unices have also been securing themselves slowly over
time as well, bind and sendmail no longer run as root very long in their
default configurations (other than to bind to the ports), and there are
other limitations that are being added as well.

        I won't speak for Washington State based companies and their
default security profiles and what (little) has been done to shift those
during the same timeframe..

        I'm just hoping that people do change the mentality as follows:

        You have to know how to turn the service on to open the ports.
This tends to mean that you know what you're doing in the first
place, or have done it on purpose and (might) have an idea of the
security implications of enabling such a service.

        While this may not hold true, it does possibly shift some
of the liability onto the end-user.  You enabled it, you got rooted via it,
you should know to keep updated.

        This also means that if you don't do anything, you by default
are not listening on ports 135-139,445, etc.. to get compromised,
winpopup spam, etc..

        it would allow the enterprise people to also enable things as
necessary when they do their default template installs as well..

        and everyone becomes happy.

        - jared

-- 
Jared Mauch  | pgp key available via finger from jared () puck nether net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]