Rich Kulawiec <rsk@gsp.org>:
I think our working assumption should be that there will be zero cooperation from the IoT vendors. (Yeah, once in a while one might actually step up, but that will merely be a happy anomaly.)
I agree. There is, however, a chokepoint we have more hope of getting decent software deployed to. I refer to home and small-business routers. OpenWRT and kin are already minor but significant players here. And there's an NRE-minimization aregument we can make for router manufacturers to use rebranded versions rather than rolling their own crappy firmware. I think the anti-IoT-flood strategy that makes the most sense is: 1. Push open-source firmware that doesn't suck to the vendors with a cost- and risk-minimization pitch. 2. Ship it with egress filters. (And telnet blocked.) It wouldn't be technically very difficult to make the firmware rate-limit outbound connections. Cute trick: if we unlimit any local IP address that is a port-forwarding target, most users will never notice because their browser sessions won't be effected. -- <a href="http://www.catb.org/~esr/">Eric S. Raymond</a>