WANTED: ISPs with DDoS defense solutions

Petri Helenius pete at he.iki.fi
Thu Jul 31 06:24:34 UTC 2003


Paul Vixie wrote:

>lots of late night pondering tonight.
>
>the anti-nat anti-firewall pure-end-to-end crowd has always argued in
>favour of "every host for itself" but in a world with a hundred million
>unmanaged but reprogrammable devices is that really practical?
>  
>
The most popular applications today either prefer or require bidirectional
connectivity. Peer2peer traffic is about half of total and there can be only
so many "corporate sponsored"  SuperNodes .

Also, games and some other applications, like SIP and other VoIP stuff
require to be able to connect to the remote host. Obviously  you can 
engineer
around all this but then, fixing the host is also "just software".

>if *all* dsl and cablemodem plants firewalled inbound SYN packets and/or
>only permitted inbound UDP in direct response to prior valid outbound UDP,
>would rob really have seen a ~140Khost botnet this year?
>  
>
Sure. One late remote exploit requires just a embedded MIDI file on a web
page which MS's browser will be happy to download and "execute".  Or did you
think that the NAT box would allow only text based browsing and provide
HTTP to Gopher translation?

While you are at it, make sure all email-clients are safe and immune to 
viruses.

Pete





More information about the NANOG mailing list