North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: DNS issues various
- From: Richard A Steenbergen
- Date: Thu Oct 24 16:09:52 2002
On Thu, Oct 24, 2002 at 06:01:44PM +0000, Kelly J. Cooper wrote:
> What would be wonderful is a radical change in the way we think about DoS
> attacks. It would be fabulous for someone (or a group of someones) to
> come up with a completely different way to approach the problem. I wish
> that I could be the person who does that, who sparks that change, but in
> the seven years I've been thinking about it, nothing's come to mind.
> So, seven years of hardening hosts against SYN attacks. Five years of
> trying to get people to turn off the forwarding of broadcast packets.
> Three years of botnets generating meg upon meg of crap-bandwidth.
We have hosts that can take 100Mbit worth of SYN attacks out-of-the-box,
instead of the dialups worth that crippled PANIX.
We have a smurf attack against the root servers which was so small it was
trivially filtered, compared to the gigabits of broadcasts which used to
be open. Heck I got a bigger smurf the last time I made fun of Ralph
Doncaster's "IGP-less network" on this list. Yes it's not so completely
dead that you can only find it in labratories like smallpox, but the once
seemly endless supply of broadcasts has been closed down to the point
where it is now more difficult for attackers to find them then it is worth
in damage when they use them. It's not "dead", but it's so effectively
close that for most of us it might as well be.
We're still working on the distributed attacks, but eventually we'll come
up with something just as effective. If it was as easy to scan for
networks who don't spoof filter as it is to scan for networks with open
broadcasts, I think we'd have had that problem licked too.
It's the nature of people to invent new ways to accomplish their goals,
both from the attackers and the people running the networks. If we hadn't
plugged the PANIX style attacks, do you think anyone would have bothered
writing smurf, when they already had a tool which worked? So the question
is, do you think we're better off because we've created better TCP/IP
stacks and better routers, or worse off because we've created better
attackers with better tools we currently don't have much defense against?
Richard A Steenbergen <email@example.com> http://www.e-gerbil.net/ras
PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)