Counter DoS

Rachael Treu rara at navigo.com
Thu Mar 11 21:30:56 UTC 2004


On Thu, Mar 11, 2004 at 03:21:29AM -0500, Brian Bruns said something to the effect of:
> 
> On Thursday, March 11, 2004 3:05 AM [EST], Brian Bruns <bruns at 2mbit.com>
> wrote:
..snip snip..
> > How the hell could a company put something like this out, and expect not to
> > get themselves sued to the moon and back when it fires a shot at an innocent
> > party?

Caution: 'innocent' is not the buzzword here.  Subscribers: check your
respective AUPs.  You will likely find explicit prohibition of any malicious
and generally unsolicited traffic generated by a node in your control, and I 
don't think that self-defense has an extenuation clause or special case 
appendix therein.

You attack an attacker, he, too, can pursue you legally.  There are not
provisions made for DoS-ing a DoS-er.  Vigilante nonsense is discouraged.
> 
..snip snip..> 
> Whats going to happen when they find a nice little exploit in these buggers
> (even if they have anti-spoof stuff in them) that allows the kids to take
> control of them or trick them into attacking innocents?  Instead of thousands
> of DDoS drones on DSL and cable modems, you'll see kids with hundreds of these
> 'nuclear stike firewalls' on T1s, T3s, and higher, using them like they use
> the current trojans?

This won't even require a exploit to effect.  

These boxes can likely be used to do the bidding of miscreants with some
simply-crafted packets and source spoofing.  This thing could become
something akin to a smurf amp with a big-time attitude problem.  Anti-spoof
rules will afford a modicum of reverse-path protection, but not enough
to swat away the majority of inbound crafted traffic.  This stupid PoS 
appliance would have to be installed and widely-deployed provider-side to 
discern on such a level.

This would become the stuff of yet-another-botnet.

> 
> No product is 100% secure (especially not something that runs under Windows,
> but thats another issue), so how are they going to deliver updates?  

This is the least of their concerns; update management is already done
effectively and easily by most IDS, anti-virii, and other signature-based
appliance manufacturers.  Snakeoil salesmen offer at the most basic a 
valid means of distributing updates, even.

> Or make sure that the thing is configured right?  

Now _that_ is a real problem.

Given that no one has beaten the creators with the illustrious clue 
stick and anyone who'd truly subscribe to this thing is likely mis-wired
him/herself, I would guess that poor configuration is an engineering
cornerstone on which this entire debacle desperately depends.

Flog the scoundrels.

ymmv,
--ra

-- 
k. rachael treu, CISSP       rara at navigo.com
..quis costodiet ipsos custodes?..

> I could see blacklists (BGP based)
> cropping up of these systems, so that you can filter these networks from ever
> being able to come near your network.
> 
> This is starting to sound more and more like a nuclear arms race - on one side
> we have company a, on the other company b.  Company A fears that B will attack
> it, so they get this super dooper nuclear strike system.  Company B follows
> suit and sets one up as well.  Both then increase their bandwidth, outdoing
> the other until finally, script kiddie comes along, and spoofs a packet from A
> to B, and B attacks A, and A responds with its own attack.  ISPs hosting the
> companies fall flat on their face from the attack, the backbone between the
> two ISPs gets lagged to death, and stuff starts griding to a halt for others
> caught in the crossfire.
> 
> So, and who thinks that this is a good idea? :)
> -- 
> Brian Bruns
> The Summit Open Source Development Group
> Open Solutions For A Closed World / Anti-Spam Resources
> http://www.sosdg.org
> 
> The Abusive Hosts Blocking List
> http://www.ahbl.org






More information about the NANOG mailing list