On Thu, Mar 11, 2004 at 03:21:29AM -0500, Brian Bruns said something to the effect of:
On Thursday, March 11, 2004 3:05 AM [EST], Brian Bruns <bruns@2mbit.com> wrote:
..snip snip..
How the hell could a company put something like this out, and expect not to get themselves sued to the moon and back when it fires a shot at an innocent party?
Caution: 'innocent' is not the buzzword here. Subscribers: check your respective AUPs. You will likely find explicit prohibition of any malicious and generally unsolicited traffic generated by a node in your control, and I don't think that self-defense has an extenuation clause or special case appendix therein. You attack an attacker, he, too, can pursue you legally. There are not provisions made for DoS-ing a DoS-er. Vigilante nonsense is discouraged.
..snip snip..>
Whats going to happen when they find a nice little exploit in these buggers (even if they have anti-spoof stuff in them) that allows the kids to take control of them or trick them into attacking innocents? Instead of thousands of DDoS drones on DSL and cable modems, you'll see kids with hundreds of these 'nuclear stike firewalls' on T1s, T3s, and higher, using them like they use the current trojans?
This won't even require a exploit to effect. These boxes can likely be used to do the bidding of miscreants with some simply-crafted packets and source spoofing. This thing could become something akin to a smurf amp with a big-time attitude problem. Anti-spoof rules will afford a modicum of reverse-path protection, but not enough to swat away the majority of inbound crafted traffic. This stupid PoS appliance would have to be installed and widely-deployed provider-side to discern on such a level. This would become the stuff of yet-another-botnet.
No product is 100% secure (especially not something that runs under Windows, but thats another issue), so how are they going to deliver updates?
This is the least of their concerns; update management is already done effectively and easily by most IDS, anti-virii, and other signature-based appliance manufacturers. Snakeoil salesmen offer at the most basic a valid means of distributing updates, even.
Or make sure that the thing is configured right?
Now _that_ is a real problem. Given that no one has beaten the creators with the illustrious clue stick and anyone who'd truly subscribe to this thing is likely mis-wired him/herself, I would guess that poor configuration is an engineering cornerstone on which this entire debacle desperately depends. Flog the scoundrels. ymmv, --ra -- k. rachael treu, CISSP rara@navigo.com ..quis costodiet ipsos custodes?..
I could see blacklists (BGP based) cropping up of these systems, so that you can filter these networks from ever being able to come near your network.
This is starting to sound more and more like a nuclear arms race - on one side we have company a, on the other company b. Company A fears that B will attack it, so they get this super dooper nuclear strike system. Company B follows suit and sets one up as well. Both then increase their bandwidth, outdoing the other until finally, script kiddie comes along, and spoofs a packet from A to B, and B attacks A, and A responds with its own attack. ISPs hosting the companies fall flat on their face from the attack, the backbone between the two ISPs gets lagged to death, and stuff starts griding to a halt for others caught in the crossfire.
So, and who thinks that this is a good idea? :) -- Brian Bruns The Summit Open Source Development Group Open Solutions For A Closed World / Anti-Spam Resources http://www.sosdg.org
The Abusive Hosts Blocking List http://www.ahbl.org