RE: Your counsel on defeating DDOS Attacks

[Craig Ozancin <cozancin@axent.com>]

I couldn't agree more. My first impression was that this document was that
is dreamy. Many of the solutions that where suggested are the same that we
have been wishing for years. It would be nice if OS vendors made their
products install with security set to high, but I am not holding my breath.
Pushing IP6 implementation will be resisted by the commercial community
until it appears to be profitable. And at best is will still be years away.

The one solution that I did like was the use of router filtering. This makes
the most sense. I understand that It is difficult to manage in large network
configurations. But it seams to be the one action that can be acted upon
today. Perhaps it would make sense the security community to pressure the
router vendors to make this task easier with their software configuration.

Another interesting idea that I have come across is found in a presentation
by Robert Stone at UUNET. He talks about a method of tracking DOS floods. I
will not go into details here. The presentation can be downloaded from:
http://www.nanog.org/mtg-9910/robert.html

Craig



AlanPaller@AOL.COM says:
>With all that visibility, we really out to make it right.  So please be as
>critical as you can.

Then please excuse my brutal honesty.  This document is a toothless
nice-old-lady plea.  The only people happy with it will be those who
get funding because of it.  Mainly what it will accomplish is put the
conscience of politicians and others to rest for having thrown some
money at the problem and for having agreed on a sermon about it.  The
policy-setters of the US should realize that if the internet is going
to be an infrastructure of the economy, then it should be treated
with the care, resources and law enforcement power that other
infrastructures get.  How many power companies have to plead for
people not to short-circuit the power lines or throw pipes at them
(because the sparks are beautiful and "cool")?  How many states have
to plead for people to not spill oil on the highways (it's so "cool"
to see the car crashes) or not go at 200 miles per hour ("see how
good I am at building cars and driving?")?

	At the barest minimum, there should be an internet hall of
shame (and funding for it) listing companies and individuals not
complying with the current accepted security practices (some were
detailed in this document), and this hall of shame should be
constituted as being impossible to sue for libel, free from
injunctions and other legal wrenches.  There should also be a
national, federal or presidential, annual award for contributions to
security.

	I would also like to add that public places and food are made
safe by inspecting factories and the kitchens of restaurants.  I
believe that in cases where there is evidence of neglect, it should
be possible to enforce security audits with threat of disconnection
from the internet for non-compliance.    Non-compliance to repeated
notices about security neglects should be prosecutable, perhaps under
criminal negligence.  Repeating offenders should be barred from the
internet from some time, just like some people can loose their
driving license.

	As many people realize, what allows countries to make their
own laws are border controls and tariffs.  Free trade is only
possible between countries that have closely similar laws.
Consequently, if the US is to have any control over the internet, it
has to control its borders.  Internet interfaces with other countries
should be controlled like the physical US borders and coastlines.

	Finally, there's a saying that to get rid of predators, you
get rid of their prey or make it inaccessible.  Critical security
software for home users (e.g., firewalls and virus/trojan checkers)
should be made free or close to free, perhaps with government subsidy
or a coupon system.  If it becomes hard enough to find victims, maybe
hackers will loose interest.

	I am certain that the very intelligent people reading this
will find many faults with what I propose.  However, this society has
to give itself the power to protect what is important for it.  I'll
let you decide if the internet is important enough.

Pascal