Guy T Almes <almes@advanced.org> wrote:

The case for ratio-based techniques is stronger as a means for a NOC to detect a strange situation and investigate it than as a means to automatically shut down an interface.

Both uses are not exclusive. The automatic reaction is simply much faster than by any NOC. I.e. the attack is stalled before it can harm anyone.

Note that, given your 'opposite direction' idea, I could shut down service on campus 'A' by [1] logging into any host on campus 'A', [2] launching an attack that might not be harmful in itself but which would trigger the auto shutdown you advocate, and then [3] sitting back and watch all of campus 'A' get shut down with the presumptive blame focused on them.

That will give them an incentive to improve security on their hosts. It is very much like leaving your car with keys in ignition lock in a dark corner of N.Y. Chances are good that it'll be stolen and used to commit a crime, and that you'll have to spend quite a lot of time sorting things out. It does not mean that the police shouldn't stop getaway cars. In my opinion, people whose carelessness is instrumental to crime should be at least inconvinienced. Otherwise they will unwittingly assist criminals until the hell freezes over.

It's still a denial of service attack. The problem is not with detecting the ratio imbalance, but with simple deterministic response to it. That determinism could be used by an attacker.

The scenario you provided moves the burden of being responsible from the target (who may have did everything they could to secure their network) to whomever happened to be a lazy s.o.b. of sysadmin. Right now there's nearly zero penalty for being irresponsible, particularly if you're a big U. I know sysadmins of really big and prestigeous U. who made a conscise choice of being totally irresponsible -- to the point of actually leaving totally unprotected machine on their LAN to steer hackers off their other hosts. I bet being shut a couple of times would very quickly change that :)

In sum, I like the idea of detecting the problem and rapidly tracing it, but I'm skeptical about a totally automated response to it given our current low level of experience with it.

We can borrow experience from utilities which employ automatic shut-offs of every possible kind for years. Yes, they do create problems; but on overall balance it appears to be a very robust approach to preservation of the whole system's integrity. I really like the idea of the network being able to defend itself without dragging engineers out of beds in the middle of the night :) That will certainly remove a lot of incentive for hacker wannabes who appear to have only one goal in their lives -- to make life of operators miserable. --vadim