Packet anonymity is the problem?

• Previous message (by thread): Packet anonymity is the problem?
• Next message (by thread): Packet anonymity is the problem?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, 11 Apr 2004, Iljitsch van Beijnum wrote:

> 
> On 11-apr-04, at 11:51, Yann Berthier wrote:
> 
> >>Ok, then explain to me how removing bugs from the code I run prevents
> >>me from being the victim of denial of service attacks.
> 
> >   It's the other way around in fact: if others were to run (more)
> >   secure code, there would be far less boxen used as zombies to launch
> >   ddos attacks against your infrastructure, to propagate worms, and to
> >   be used as spam relays.
> 
> You make two assumptions:
> 
> 1. denial of service requires compromised hosts

   I don't remember having made such an assumption :) the assumption i
   made (and i still make) is that compromised hosts *are* used for
   dos attacks, as well as for other uses having major network impact
   (worms and spam, that is)

> 2. good code prevents hosts from being compromised

   yes, i think that good code can reduce the exposure to
   compromissions. And then came the diseasusers ...

> I agree that without zombies launching a significant DoS is much more 
> difficult, but it can still be done. Also, while many hosts run 
> insecure software, the biggest security vulnerability in most systems 
> is the finger resting on the left mouse button.

   I perfectly agree. But there are technical countermeasures available
   to limit the user willingness to help compromise his own box.
   Sandboxing, ingress *and* egress filtering, sensible security
   defaults and so on.

   While it would have not been a panacea, i think that no unnecessary
   open ports on default installs + OSs not encouraging their users to
   run as Administrator would certainly have been a good thing (tm)

   We certainly can't expect nothing from the user, but we should be
   able to expect sensible default settings from OS vendors

> Also, waiting for others to clean up their act to be safe isn't usually 
> the most fruitful approach.

   I was not even suggesting something like that :)

> >   While it can sound a bit theorical (to hope that the "others" will
> >   run secure code), as the vast majority of users run OSs from one
> >   particular (major) vendor, an amelioration of said family of OSs
> >   would certainly benefit to all. Just think about all the recent
> >   network havocs caused by worms propagating on one OS platform ...
> 
> I'm not all that interested in plugging individual security holes. (Not 
> saying this isn't important, but to the degree this is solvable things 
> are moving in the right direction.) I'm much more interested in 
> shutting up hosts after they've been compromised. This is something we 
> absolutely, positively need to get a handle on.

   I think we mostly agree on every points, i just wanted to pinpoint
   the fact that insecure code run by others has certainly repercussions
   on everyone's network.

   So now let's this thread die, because it begins to sound like
   something we have seen so many times :) I won't add _one_ word to
   these way too much rebated subjects

   Cheers,

      - yann

• Previous message (by thread): Packet anonymity is the problem?
• Next message (by thread): Packet anonymity is the problem?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]