On Wed, 9 Jan 2019 at 20:24, Töma Gavrichenkov <ximaera@gmail.com> wrote:
So, network device vendors releasing security advisories twice a year isn't a big part of the explanation?
Those are scheduled, they have to meet some criteria to be pushed on scheduled lot. There are also out of cycle SIRTs. And yes, vendors are delaying them, because customers don't want to upgrade often, because customer's customers don't want to see connections down often.
Err... don't they? My experience is quite the opposite.
Well that is odd experience, considering anyone with rudimentary understanding of control-plane policing can bring internet down from single VPS. Majority of deployed devices _cannot_ be protected against DoS motivated attacker, and I'm not talking link congestion, I'm talking control-plane congestion with few Mbps.
If we could be sure that after such fuzzing there would still be a working transport infrastructure to report on top of, then yes.
If it's important to get right, we should try to prove it wrong actively and persistently by good guys, at least then reporting and statistics can be produced. But I'm not sure if it's important to get right, market seems to indicate security does not matter.
— just like we did with IoT in 2016 —
Internet still running, I'm still getting paid.
If anything, I suspect if it's cheaper to enter the market with inferior security and quality then that is likely good business case
This is also correct so far. I wonder if it's here to stay.
We'd need the current security posture to be sufficiently unmarketable. But motivation to simply DoS internet doesn't really exist. DoS is against service end points, infrastucture is trivial target, but for some reason not really targeted. I'm sure state actors have library of DoS transit packets and BGP UPDATE packets to be deployed when strategy requires given network or region to be disrupted. Because, we, the internet plumbers, keep finding those without trying, just trying to keep the network working, what can someone find who is funded and motivated to find those? -- ++ytti