|
North American Network Operators Group
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Re: WANTED: ISPs with DDoS defense solutions
- From: Petri Helenius
- Date: Thu Jul 31 02:26:50 2003
Paul Vixie wrote:
lots of late night pondering tonight.
the anti-nat anti-firewall pure-end-to-end crowd has always argued in
favour of "every host for itself" but in a world with a hundred million
unmanaged but reprogrammable devices is that really practical?
The most popular applications today either prefer or require bidirectional
connectivity. Peer2peer traffic is about half of total and there can be only
so many "corporate sponsored" SuperNodes .
Also, games and some other applications, like SIP and other VoIP stuff
require to be able to connect to the remote host. Obviously you can
engineer
around all this but then, fixing the host is also "just software".
if *all* dsl and cablemodem plants firewalled inbound SYN packets and/or
only permitted inbound UDP in direct response to prior valid outbound UDP,
would rob really have seen a ~140Khost botnet this year?
Sure. One late remote exploit requires just a embedded MIDI file on a web
page which MS's browser will be happy to download and "execute". Or did you
think that the NAT box would allow only text based browsing and provide
HTTP to Gopher translation?
While you are at it, make sure all email-clients are safe and immune to
viruses.
Pete
|
|
|
