Re: Is there a line of defense against Distributed Reflective attacks?
"alex" == alex <alex@yuriev.com> writes:
Sure, but this like all other attacks of this sort can be tracked... and so the pain is over /quickly/ provided you can track it quickly :) Also, sometimes null routes are ok.
How quickly is quickly? Often times as has been my recent experience (part of my motivation for posting this thread) the flood is over before one can get a human being on the phone.
Once the call arrives and the problem is deduced it can be tracked in a matter of minutes, like 6-10 at the fastest...
alex> So if one wants to create a really nasty, largely untrackable alex> problem, one just needs to mount a set of attacks that last 3-4 alex> minutes at a time? Sure, that's one way to make it difficult. alex> This is a very bad band-aid. The solution is amazingly simple - Just to be clear, the solution to WHAT is amazingly simple? alex> make it uneconomical to have unprotected networks, For whom to have unprotected networks? What constitutes a protected network? How does one make it uneconomical enough? wondering, Michael
alex> This is a very bad band-aid. The solution is amazingly simple -
Just to be clear, the solution to WHAT is amazingly simple?
alex> make it uneconomical to have unprotected networks,
For whom to have unprotected networks? What constitutes a protected network? How does one make it uneconomical enough?
The amazingly simple solution is to make it uneconomical for anyone to maintain unprotected network (for whatever two sets uneconomical and unprotected are). For example, have a machine that had been broken into and used to attack a company which lost $5M because of that attack, make whoever owns the machine was broken into pay $5M + attorney frees + punitive damages. Suddently, the unprotected (for whatever the definition of unprotected is) networks disappear either due to the bankruptcy of the owner or because it becomes cheaper for the owner to maintain those unprotected networks rather than face monetary penalties. Alex
From: <alex@yuriev.com>
unprotected are). For example, have a machine that had been broken into and used to attack a company which lost $5M because of that attack, make whoever owns the machine was broken into pay $5M + attorney frees + punitive damages. Suddently, the unprotected (for whatever the definition of unprotected is) networks disappear either due to the bankruptcy of the owner or because it becomes cheaper for the owner to maintain those unprotected networks rather than face monetary penalties.
So, if I'm reading this right, user of Vendor L doesn't like Vendor M. Instead of attacking Vendor M's software, the user just needs to make sure Vendor M's corporate servers get infected and cause enough damage to run Vendor M into bankruptcy from the resulting law suits? What about the small mom and pop shop? Will you watch as an old family business is run into the ground because someone didn't advise them properly on handling security? There is such a thing as making penalties too stiff. Many good businesses would be afraid to participate. Oh, wait. Never mind. They'd have Internet Vulnerability insurance. Jack Bates BrightNet Oklahoma
JB> Date: Mon, 27 Jan 2003 15:19:25 -0600 JB> From: Jack Bates JB> So, if I'm reading this right, user of Vendor L doesn't like JB> Vendor M. Instead of attacking Vendor M's software, the user JB> just needs to make sure Vendor M's corporate servers get JB> infected and cause enough damage to run Vendor M into JB> bankruptcy from the resulting law suits? Hey! Sounds almost like ILEC/CLEC business, dumb patents, et cetera! (Not that I agree with that... not by a longshot... but that's a real risk.) JB> What about the small mom and pop shop? Will you watch as an JB> old family business is run into the ground because someone JB> didn't advise them properly on handling security? There is JB> such a thing as making penalties too stiff. Many good JB> businesses would be afraid to participate. Oh, wait. Never JB> mind. They'd have Internet Vulnerability insurance. Perhaps IVI is a worthy idea. Misconfigured computers certainly have the potential to cause damages. "We can't afford to do it right" is a poor excuse. Hiring an expert for a few hours is much cheaper than than damage one can cause. I heard a saying that, "If a business can't afford infrastructure such as accounting, legal, et cetera, it's not a business -- it's a hobby." Who should bear the brunt of the damage inflicted by others? I don't want to see people slinging ridiculous lawsuits (fast food causes obesity! whoulda thunk?), but I can think of several businesses that are willfully negligent when it comes to security. Should they go unpunished? Eddy -- Brotsman & Dreger, Inc. - EverQuick Internet Division Bandwidth, consulting, e-commerce, hosting, and network building Phone: +1 (785) 865-5885 Lawrence and [inter]national Phone: +1 (316) 794-8922 Wichita ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Date: Mon, 21 May 2001 11:23:58 +0000 (GMT) From: A Trap <blacklist@brics.com> To: blacklist@brics.com Subject: Please ignore this portion of my mail signature. These last few lines are a trap for address-harvesting spambots. Do NOT send mail to <blacklist@brics.com>, or you are likely to be blocked.
On Mon, 27 Jan 2003 15:53:07 EST, alex@yuriev.com said:
The amazingly simple solution is to make it uneconomical for anyone to maintain unprotected network (for whatever two sets uneconomical and unprotected are). For example, have a machine that had been broken into and used to attack a company which lost $5M because of that attack, make whoever owns the machine was broken into pay $5M + attorney frees + punitive
So the guy who makes $25K a year and has a $400 PC in a single-wide finds himself liable for $5M because Nimda jumped from his PC to some PC in a large corporation, where it then goes on a large burn. (a) How do you collect? (b) What does the corporation do when the defense lawyer argues that it's 95% the corporation's fault for *letting* the trailer-trash PC do it? Most corporate exec don't want to go there - they'd have to quantify that they had $5M in damages, and then they'd have to explain to the shareholders why their screw-up cost the share-holders $5M in lost profits/dividends. It would be a Phyrric victory, at best...
participants (5)
-
alex@yuriev.com -
E.B. Dreger -
Jack Bates -
Michael Lamoureux -
Valdis.Kletnieks@vt.edu