Re: Recent Attacks

["Steven M. Bellovin" <smb () research att com>]

In message <Pine.GSO.4.10.10002181352090.20196-100000 () www securityfocus com>, R
yan Russell writes:
> > > Hang on now, that's too easy an example.  I'm not THAT
> > > lenient.  What I'm saying is that if Amazon normally
> > > does 1M$/day, and on the day od the DDoS attacks,
> > > they only do 800K$... but then do 1.2M$ the next day..
> > > were there damages beyond investigative costs?
> > And E-trade, where *timing* matters a lot to their customers?
> >
> >             --Steve Bellovin
>
> For E-trade, it makes a lot more sense that business would be lost that
> would happen then and only then (well, mostly... I'm sure some folks will
> still sell even after the stock dropped below what they meant to sell at.)
> It makes sense to punish the attacker exta on behalf of the customers of
> E-trade *IFF* E-Trade does something along those lines for normal outages.
> (I think they've had some, and I don't think they did anything for the
> customers, did they?  Hmm..lesse, our click-wrap agreement says "Screw
> You.")
>
> All I want is for prosecutors, judges, and law enforcement to put some
> intelligent thought into what the damages really were.  I still say the
> attacker couldn't have done 1.2B in damages, and that's the "crucifixtion"
> dollar amount.   
>
> If someone decides that mapping out the Internet to produce nice-looking
> graphs constitutes a criminal port-scanning attack, you would want to have
> someone force the prosecutors to name reasonable damages, right?  You
> wouldn't want some idiot fed saying "This guy attacked every single
> machine on the Internet for severl years, and caused trillions in
> damages."  

Absolutely.  I'm merely saying that denial of service can cost real money.  
That normal outages are a problem is between the customers and E-trade, with 
whom they have a contractual agreement.  They have none with whoever blocked 
the line.

                --Steve Bellovin