Re: Your counsel on defeating DDOS Attacks
David LeBlanc says:
-I also believe that we should come up with a list of suggested best
-practices for someone providing internet services, and some way to encourage
-people to follow them, and perhaps discourage people from ignoring them
-(e.g., not route their packets).
I wholeheartedly agree. For encouraging and discouraging, one can
use social techniques (example from role models, hall of shame,
awards -- how about the Nobel prize for security achievements, or
similar -- the president's medal?), money (fines and subventions),
and a big stick. This document only uses governmental example and
conservative subventions. It is debatable whether the government is
a role model for many people, and it is a gamble (probably well worth
it, but still a gamble) to bet on what will come out of the research.
>With all that visibility, we really out to make it right. So please be as
>critical as you can.
Then please excuse my brutal honesty. This document is a toothless
nice-old-lady plea. The only people happy with it will be those who
get funding because of it. Mainly what it will accomplish is put the
conscience of politicians and others to rest for having thrown some
money at the problem and for having agreed on a sermon about it. The
policy-setters of the US should realize that if the internet is going
to be an infrastructure of the economy, then it should be treated
with the care, resources and law enforcement power that other
infrastructures get. How many power companies have to plead for
people not to short-circuit the power lines or throw pipes at them
(because the sparks are beautiful and "cool")? How many states have
to plead for people to not spill oil on the highways (it's so "cool"
to see the car crashes) or not go at 200 miles per hour ("see how
good I am at building cars and driving?")?
At the barest minimum, there should be an internet hall of
shame (and funding for it) listing companies and individuals not
complying with the current accepted security practices (some were
detailed in this document), and this hall of shame should be
constituted as being impossible to sue for libel, free from
injunctions and other legal wrenches. There should also be a
national, federal or presidential, annual award for contributions to
I would also like to add that public places and food are made
safe by inspecting factories and the kitchens of restaurants. I
believe that in cases where there is evidence of neglect, it should
be possible to enforce security audits with threat of disconnection
from the internet for non-compliance. Non-compliance to repeated
notices about security neglects should be prosecutable, perhaps under
criminal negligence. Repeating offenders should be barred from the
internet from some time, just like some people can loose their
As many people realize, what allows countries to make their
own laws are border controls and tariffs. Free trade is only
possible between countries that have closely similar laws.
Consequently, if the US is to have any control over the internet, it
has to control its borders. Internet interfaces with other countries
should be controlled like the physical US borders and coastlines.
Finally, there's a saying that to get rid of predators, you
get rid of their prey or make it inaccessible. Critical security
software for home users (e.g., firewalls and virus/trojan checkers)
should be made free or close to free, perhaps with government subsidy
or a coupon system. If it becomes hard enough to find victims, maybe
hackers will loose interest.
I am certain that the very intelligent people reading this
will find many faults with what I propose. However, this society has
to give itself the power to protect what is important for it. I'll
let you decide if the internet is important enough.