Schneier: ISPs should bear security burden

• Previous message (by thread): Schneier: ISPs should bear security burden
• Next message (by thread): Schneier: ISPs should bear security burden
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> The only thing I've seen in the past 20 years which has made any positive
> impact on overall internet reliability is BGP dampening. In all other 
> cases its gotten worse as networks are ground to dust by daily DDOS 
> attacks. You can read daily about sites xyz or networks xyz being 
> unreachable for hours/days/weeks/months due to DDOS attacks. Compared to 
> 20 years ago I would have to say overall things are worse not better.

Yes... The news reports more outages today than they reported back then.
Of course, part of that is because 20 years ago, the media couldn't
spell internet, let alone connect to it.

However, the huge expansion in overall bandwidth, the increase in bandwidth
to subscriber ratio, the proliferation of firewall appliances, and, faster
and better switching and routing capabilities, packet over sonet, MPLS
have all contributed to a more reliable and more flexible internet.

YMMV, but, for me, today, when I try to connect to things on the internet,
I have a much higher success rate than I did 20 years ago.  My links aren't
clogged with DDOS or abuse, even though I'm on a completely unfiltered
link.  Sure, I see the occasional DDOS, lots of probes, and, many many
attempts to use my systems to relay SPAM.  The relay attempts are quietly
discarded, the DDOS stays down in the noise threshold for the most part,
and, the other abuse attempts are logged and fail.  However, the things
I try to do with the internet mostly succeed.  Judging by the server logs,
people are getting to the web servers I host without difficulty.

20, even 10, heck, even 5 years ago, my success rates were lower than they
are today.  They've been roughly the same for the last 5 years, but, that's
pretty good, so, I'm generally happy.

I'm not saying we shouldn't make efforts to eliminate abuse.  I'm not
saying abuse isn't a reliability issue or that it doesn't have a cost.
However, eliminating end-node abuse at the transit just adds more cost
and is, in the long run, an ineffective solution at best, usually with
unintended side consequences.

Owen


-- 
If it wasn't crypto-signed, it probably didn't come from me.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20050427/06a50ca1/attachment.sig>

• Previous message (by thread): Schneier: ISPs should bear security burden
• Next message (by thread): Schneier: ISPs should bear security burden
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]