Counter DoS
Rachael Treu
rara at navigo.com
Thu Mar 11 21:29:38 UTC 2004
On Thu, Mar 11, 2004 at 03:21:29AM -0500, Brian Bruns said something to the effect of:
>
> On Thursday, March 11, 2004 3:05 AM [EST], Brian Bruns <bruns at 2mbit.com>
> wrote:
..snip snip..
> > How the hell could a company put something like this out, and expect not to
> > get themselves sued to the moon and back when it fires a shot at an innocent
> > party?
Caution: 'innocent' is not the buzzword here. Subscribers: check your
respective AUPs. You will likely find explicit prohibition of any malicious
and generally unsolicited traffic generated by a node in your control, and I
don't think that self-defense has an extenuation clause or special case
appendix therein.
You attack an attacker, he, too, can pursue you legally. There are not
provisions made for DoS-ing a DoS-er. Vigilante nonsense is discouraged.
>
..snip snip..>
> Whats going to happen when they find a nice little exploit in these buggers
> (even if they have anti-spoof stuff in them) that allows the kids to take
> control of them or trick them into attacking innocents? Instead of thousands
> of DDoS drones on DSL and cable modems, you'll see kids with hundreds of these
> 'nuclear stike firewalls' on T1s, T3s, and higher, using them like they use
> the current trojans?
This won't even require a exploit to effect.
These boxes can likely be used to do the bidding of miscreants with some
simply-crafted packets and source spoofing. This thing could become
something akin to a smurf amp with a big-time attitude problem. Anti-spoof
rules will afford a modicum of reverse-path protection, but not enough
to swat away the majority of inbound crafted traffic. This stupid PoS
appliance would have to be installed and widely-deployed provider-side to
discern on such a level.
This would become the stuff of yet-another-botnet.
>
> No product is 100% secure (especially not something that runs under Windows,
> but thats another issue), so how are they going to deliver updates?
This is the least of their concerns; update management is already done
effectively and easily by most IDS, anti-virii, and other signature-based
appliance manufacturers. Snakeoil salesmen offer at the most basic a
valid means of distributing updates, even.
> Or make sure that the thing is configured right?
Now _that_ is a real problem.
Given that no one has beaten the creators with the illustrious clue
stick and anyone who'd truly subscribe to this thing is likely mis-wired
him/herself, I would guess that poor configuration is an engineering
cornerstone on which this entire debacle desperately depends.
Flog the scoundrels.
ymmv,
--ra
--
k. rachael treu, CISSP rara at navigo.com
..quis costodiet ipsos custodes?..
> I could see blacklists (BGP based)
> cropping up of these systems, so that you can filter these networks from ever
> being able to come near your network.
>
> This is starting to sound more and more like a nuclear arms race - on one side
> we have company a, on the other company b. Company A fears that B will attack
> it, so they get this super dooper nuclear strike system. Company B follows
> suit and sets one up as well. Both then increase their bandwidth, outdoing
> the other until finally, script kiddie comes along, and spoofs a packet from A
> to B, and B attacks A, and A responds with its own attack. ISPs hosting the
> companies fall flat on their face from the attack, the backbone between the
> two ISPs gets lagged to death, and stuff starts griding to a halt for others
> caught in the crossfire.
>
> So, and who thinks that this is a good idea? :)
> --
> Brian Bruns
> The Summit Open Source Development Group
> Open Solutions For A Closed World / Anti-Spam Resources
> http://www.sosdg.org
>
> The Abusive Hosts Blocking List
> http://www.ahbl.org
More information about the NANOG
mailing list