FW: Re: Is there a line of defense against Distributed Reflective attacks?

• Previous message (by thread): FW: Re: Is there a line of defense against Distributed Reflective attacks?
• Next message (by thread): FW: Re: Is there a line of defense against Distributed Reflective attacks?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Stoned koalas drooled eucalyptus spit in awe as Avleen Vig exclaimed:


>> Doesn't this stop kazaa/morpheus/gnutella/FTP/<some aim stuff like
>> private chats>? This is a problematic setup, and woudl require the cable
>> modem provider to maintain a quickly changing 'firewall' :( I understand
>> the want to do it, but I'm not sure its practical to see it happen based
>> solely on the hassle factor :( Hmm, security, "you gotta pay to play"
>> (Some famous man once said that I believe)
>
> Indeed it does break that. P2P clients: Mostly transfer illegal content.
> As much as a lot of people love using these, I'm sure most realise they're
> on borrowed time in their current state.

And it's your job as a network provider to determine the legality of your 
users' activities?  Plus, you said the magic word "mostly"  What about 
legit uses of P2P networks?  Do you also stop your users from using NNTP as 
well, since it's "mostly" used for porn and warez?  How about email? since, 
from the looks of my mail logs, SMTP traffic is "mostly" spam and sircam. :)

I'm sure your users would certainly pack up and take their business 
elsewhere if you placed these restrictions on them.  Why not just put them 
all behind a firewall on RFC-1918 addresses, if you are going to block all 
incoming SYNs?

> And I'm sure that if they were gone tomorrow, I'm sure they'd be back in
> another fashion soon.

Any true P2P system is going to need at least one end user to receive a SYN.

> Ftp/HTTP etc I believe most cable providers currently block these anyway

I also believe this is usually stated in their TOS that they're not allowed 
to run services on their home computers.  If I'm on IRC and I initiate an 
outgoing DCC chat, the open port on my box awaiting the connection is 
hardly a "service."

> There's a chance it'd break things like file transfers on IM clients but
> I'm sure they'd be altered too.

Unless I'm missing something, wouldn't it be necessary to modify both the 
clients and the servers to pass all FT traffic through the servers? I'm 
sure those who sell bandwidth to AOL and Yahoo would love it if they did 
that, but I don't see it happening.

-Jeff

--
Jeff Workman | jworkman at pimpworks.org | http://www.pimpworks.org

• Previous message (by thread): FW: Re: Is there a line of defense against Distributed Reflective attacks?
• Next message (by thread): FW: Re: Is there a line of defense against Distributed Reflective attacks?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]