|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: Your counsel on defeating DDOS Attacks
Alan, A few of us at MITRE got together and have the following comments on your proposal. In our opinion, while some of the proposal may be "dreamy" as Craig put it, the extra attention being paid to security right now could help to establish this or subsequent documents as a "best practices" recommendation which could then be enforced - either through embarrassment as suggested by Pascal, by legal measures for a victim company to force an attacking company to pay damages because they did not perform due diligence, or for governments and large organizations to use in their own requirements (e.g. by not purchasing products if OS vendors don't configure systems securely out-of-the-box, or if software vendors don't follow certain secure programming practices). - Steve ==================== Key Trends Section ==================== Here are some suggested modifications. We've cross-referenced some of these points to ease their integration into the paper. Additions --------- 1) Many times, machines are compromised in the first place because programmers do not know how to write secure code, or security is sacrificed in favor of new functionality. 2) New models of interactivity are widely deployed without paying sufficient attention to security and control. (E.g. the Melissa virus and mobile code in general). 3) The volume and variety of information available, from a wide number of sources, is extremely difficult for a system administrator to deal with. In addition, the size and diversity of computer networks makes keeping up-to-date with security extremely difficult. "Owner carelessness" is not the only problem. 4) Often, security is not a corporate priority, which means that it is under-supported financially. Modifications ------------- 6th bullet - Many systems are configured to run unnecessary services by default. In turn this makes them useful as attack points. Many "everyday users" may thus become unwitting participants. ======================= Immediate Steps Section ======================= Additional Steps ---------------- Problem 4 (Unprotected computers): 1) Disable all unnecessary services on your systems. While it's not a panacea, a large number of systems have vulnerabilities in services that aren't even necessary. 2) Each enterprise should create their own "top 20 list" of the most important vulnerabilities that MUST be fixed by the enterprise. (This is more of a grassroots approach than creating a top 20 list based on community consensus, which could be difficult to define for all/most networks.) Modifications ------------- Problem 4 (Unprotected computers): 3rd bullet - All software vendors should (a) establish clear, easy-to-use methods of distributing all security-related patches, and (b) provide a distinct public acknowledgement when a problem arises. This is currently the case with most major OS vendors (at least for most significant problems) although it does not necessarily scale well, but it is a problem with third party and minor vendors. ========================= Long Term Efforts Section ========================= Additions --------- 1) Encourage the widespread use of strong authentication. Encryption is mentioned in the proposal, but not authentication. 2) Programmers are strongly recommended to use or build tools that help them to detect and avoid vulnerabilities during the software development cycle. 3) Fund research into security assessment tools which are as easy to use and deploy as anti-virus checkers (this is a long-term approach to producing "system-hardening scripts" as described in the immediate steps section). Modifications ------------- 1st bullet (IP v6) - If you want to keep this paper strictly related to DDoS (instead of including how to secure zombie/slave systems in general), then consider removing or reprioritizing this bullet, which doesn't curb spoofing or DDoS attacks. Some of these ideas are the result of email exchanges with various Board members. All Board members, please feel free to add your comments. - Steve
|
||||
