Re: Your counsel on defeating DDOS Attacks
David LeBlanc said:
>> >I would not get into specific vendor actions here. We could make the
>> >document very large if we get into details like this.
>> In this particular case, I would disagree. Approximately half of the
>> CERT advisories published in 1999 deal with serious vulnerabilities in
>> RPC services.
>If we're going to go into specific actions to protect against common
>exploits exposed by the various vendors, we could probably come up
>with a very long list. (<joke> didn't we just go over 500 in the
All true :-)
>I'm also not sure it is fair to single out any one vendor in a
>document of this type, and this could be just the problem of the day.
An idea we've bandied about a bit within MITRE is the notion of a "top
20 list" of the most serious and commonly exploited vulnerabilities,
similar to the WildList used by the anti-virus community, but a bit
more comprehensive than the current CERT summaries. We were thinking
of this within the context of CVE: use a top 10 list that speaks CVE,
feed it into your IDSs and assessment tools, and fix the problems.
(Our PowerPoint presentation for RAID-99 includes some slides.) A
number of others have talked about such a list as well.
It would just so happen that RPC services would dominate the top spots
for the foreseeable future ;-) but it could also leave room for NT.
The top 20 list could be used to raise the bar by actually defining
one. Conformance to the top 20 list then becomes a requirement. It
would establish an absolute minimum that anybody should be sure they
are protected from. Other lists could contain less "important"
problems, and would imply additional levels of protection. The list
could be updated on a periodic basis, with input from across the
community. As we begin to get a grip on how to model "policy," there
could be different lists for different policies.