Re: Your counsel on defeating DDOS Attacks

["Steven M. Christey" <coley@linus.mitre.org>]

All,

While Alan's email goes beyond the scope of CVE, it is related to a
community-wide effort of significance, especially as so much public
attention is being paid to security right now.  Because the Editorial
Board is becoming something of a cross-section of the community,
discussions such as these may be fruitful.  Therefore in my opinion,
the occasional non-CVE-related thread may be appropriate for this
list, including this thread.  Since there is no formal posting policy,
I ask that Board members exercise their discretion when considering
whether or not they should introduce new, non-CVE topics to the list.
If there are any concerns about the usage of this list, you could
discuss them offline with me, or we could put it on the agenda for the
face-to-face meeting.

To comment on something that David LeBlanc suggested...

>> c. Sun users should ensure that rpc traffic is allowed only from
>>management systems.
>
>I would not get into specific vendor actions here.  We could make the
>document very large if we get into details like this.

In this particular case, I would disagree.  Approximately half of the
CERT advisories published in 1999 deal with serious vulnerabilities in
RPC services.  Most of the CERT activity summaries in the past year
state that those vulnerabilities were being extensively exploited.
The SANS GIAC reports indicate that attackers regularly attempt to
access RPC services.

Perhaps this bullet should be generalized to suggest that users
disable services or restrict their access, and emphasize RPC.
Disabling or filtering unnecesary services would automatically prevent
a lot of security holes from being exploited from arbitrary locations
across the network.  It requires the attackers to find other routes in
order to exploit the vulnerability - yes, they can do it, but it's
(presently) more difficult.

- Steve