WANTED: ISPs with DDoS defense solutions
Jack Bates
jbates at brightok.net
Fri Aug 1 11:09:45 UTC 2003
McBurnett, Jim wrote:
> if *all* dsl and cablemodem plants firewalled inbound SYN packets and/or
> only permitted inbound UDP in direct response to prior valid outbound UDP,
> would rob really have seen a ~140Khost botnet this year?
In a sense, I would agree with you. The best method for what you
describe is, of course, NAT. However, I can think of a lot of protocols
that won't work with it properly. While a large portion of the userbase
doesn't notice, vendors trying to put out products with these protocols
do notice and their technologies are delayed as a result.
In addition, your logic will not stop bots installed via email. It
doesn't have to be a worm. Enough end users will click the exe
themselves despite the fact they have no clue what it is or who it's
from. They are curious, so they open it. Each week, I have to explain to
a user who's account I suspended that curiousity killed the cat. I Gigs
of executables from email to help protect the majority of our user base,
and yet they go to some webmail provider to get infected or just sit on
irc or accept files across instant messenger. So much for network
security. Now they have a bot sitting behind NAT with a source started
irc uplink for commands. It's a good thing my network is multi-staged
spoof protected both ways.
-Jack
More information about the NANOG
mailing list