On Thu, Oct 24, 2002 at 06:01:44PM +0000, Kelly J. Cooper wrote:
What would be wonderful is a radical change in the way we think about DoS attacks. It would be fabulous for someone (or a group of someones) to come up with a completely different way to approach the problem. I wish that I could be the person who does that, who sparks that change, but in the seven years I've been thinking about it, nothing's come to mind.
So, seven years of hardening hosts against SYN attacks. Five years of trying to get people to turn off the forwarding of broadcast packets. Three years of botnets generating meg upon meg of crap-bandwidth.
We have hosts that can take 100Mbit worth of SYN attacks out-of-the-box, instead of the dialups worth that crippled PANIX. We have a smurf attack against the root servers which was so small it was trivially filtered, compared to the gigabits of broadcasts which used to be open. Heck I got a bigger smurf the last time I made fun of Ralph Doncaster's "IGP-less network" on this list. Yes it's not so completely dead that you can only find it in labratories like smallpox, but the once seemly endless supply of broadcasts has been closed down to the point where it is now more difficult for attackers to find them then it is worth in damage when they use them. It's not "dead", but it's so effectively close that for most of us it might as well be. We're still working on the distributed attacks, but eventually we'll come up with something just as effective. If it was as easy to scan for networks who don't spoof filter as it is to scan for networks with open broadcasts, I think we'd have had that problem licked too. It's the nature of people to invent new ways to accomplish their goals, both from the attackers and the people running the networks. If we hadn't plugged the PANIX style attacks, do you think anyone would have bothered writing smurf, when they already had a tool which worked? So the question is, do you think we're better off because we've created better TCP/IP stacks and better routers, or worse off because we've created better attackers with better tools we currently don't have much defense against? -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)