On Sat, 18 Jan 2003, Steven M. Bellovin wrote:
3) Find and convict the true attacker
Hash-based trace might help on that, *if* there was recording of the packets to the zombies. But doing that ubiquitously might -- would? -- turn the Internet into a surveillance state.
Yep, the hard question isn't if we can, but if we should. We have the advantage of Casino Network Traffic Analysis, the longer you play the odds favor the house. Tracking a single packet is difficult. But when the player keeps returning, eventually you can find them. Traffic analysis doesn't require looking at every packet, or even beyond the packet header. Starting with the 750 zombies and slowly working backwards is time consuming and expensive. On the other hand, putting a few thousand taps in the network is getting easier all the time. Vendors are including more Network Intrusion Detection features in their products. Most of the DDOS products on the market today include some type of traffic flow monitoring. With the right incentives, I'm sure the vendors can improve their products. But then we get to the unintended consequences. Once you collect the traffic data, who else will want to use it for other things. I'm not just talking about the government, but also divorce lawyers wanting dirt on spouses, companies track and silence critics, or even hackers getting the records.
2) Track and stop DDOS quickly when it does happen
That's the point of pushback.
Triggered black holes, pushback, etc will help. But reactive measures aren't a complete answer.
So how do we 1) Make end-user systems less vulnerable to being compromised
That's my real goal...
What incentive does the end-user have to use secure systems? Should Microsoft, Sun, Sendmail Inc or ISC be required to send a technician out to fix every defective system they released? Why should the ISP be held accountable for the defects created by others? Car makers have to fix defective cars, not the highway department.