Packet anonymity is the problem?

Owen DeLong owen at delong.com
Sun Apr 11 17:25:52 UTC 2004


> You make two assumptions:
>
> 1. denial of service requires compromised hosts
> 2. good code prevents hosts from being compromised
>
> I agree that without zombies launching a significant DoS is much more
> difficult, but it can still be done. Also, while many hosts run insecure
> software, the biggest security vulnerability in most systems is the
> finger resting on the left mouse button.
>
Prior to Windows I would have agreed with you.  However, with the advent
of Windows, I think insecure software has surpassed the user as a source
of problems.  This is not based on a belief that users have gotten any
better, but, rather that software is significantly worse.

> Also, waiting for others to clean up their act to be safe isn't usually
> the most fruitful approach.
>
This is very true.  However, education and encouragement of others to fix
their insecure systems is a worth-while endeavor, and, the reality remains
that if we could find a way to solve that issue, it would significantly
reduce today's DDOS and SPAM environment.

>>    While it can sound a bit theorical (to hope that the "others" will
>>    run secure code), as the vast majority of users run OSs from one
>>    particular (major) vendor, an amelioration of said family of OSs
>>    would certainly benefit to all. Just think about all the recent
>>    network havocs caused by worms propagating on one OS platform ...
>
> I'm not all that interested in plugging individual security holes. (Not
> saying this isn't important, but to the degree this is solvable things
> are moving in the right direction.) I'm much more interested in shutting
> up hosts after they've been compromised. This is something we absolutely,
> positively need to get a handle on.
>
I think both efforts are necessary and worthy.

Owen



-- 
If this message was not signed with gpg key 0FE2AA3D, it's probably
a forgery.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20040411/b9486d19/attachment.sig>


More information about the NANOG mailing list