-----Original Message----- From: Florian Weimer [mailto:fweimer@bfk.de] Sent: Friday, November 06, 2009 4:55 AM
Not all attacks involve saturated pipes.
There used to be anti-DDoS vendors whose boxes didn't even have WAN links. Part of the problem is that operating systems come with TCP stacks and web servers which are not very robust, so it's pretty easy to create something which behaves spectacularly better under certain attacks.
I am in complete agreement with you here. And I don't think the things I've said are generally inconsistent with the views held by others. The original point I was trying to make before the discussion got so eloquently hijacked towards a discussion on flooding and its impact on availability is that with regards to cloud computing, if the discussion hasn't shifted from that of DDoS to EDoS, it should. Just take one look at Amazon's usage-based pricing model, and one can envision that a surplus of resources could actually be just as bad as a lack thereof. How long do you think it will take for the bad guys to realize that they don't need to cause an outage to cause havoc to the victim. A slow trickle of seemingly legitimate requests from just a few thousand hosts performed over several days or weeks might give some organizations pause and that $50k extortion might start looking pretty enticing. I second Roland's comments with regard to the CIA triad, and his opinion that availability of resources is the first among equals is spot on. But I'm willing to bet that if the attackers exploit the so-called elasticity of the cloud and the subsequent associated financial costs, integrity is going to take on a whole new level of importance. BTW, heuristic/behavioral based analysis has benefit here, it just needs to start happening on more granular level... Getting back to the original discussion, I'd still like to hear what some of you think are the Pros vs. the Cons of Cloud Computing in dealing with this situation. We've heard a few and now I'd like to hear what others have to say. BTW, I realize this is a sensitive subject and I can understand why some of you might not want to respond on-list (security through obscurity eh' ;). To those of you who have taken the time to respond to me off-list, I appreciate your feedback and promise to keep your identities confidential. Regards, Stefan Fouant GPG Key ID: 0xB5E3803D