RE: WANTED: ISPs with DDoS defense solutions
Paul Vixie said: lots of late night pondering tonight. the anti-nat anti-firewall pure-end-to-end crowd has always argued in favour of "every host for itself" but in a world with a hundred million unmanaged but reprogrammable devices is that really practical? if *all* dsl and cablemodem plants firewalled inbound SYN packets and/or only permitted inbound UDP in direct response to prior valid outbound UDP, would rob really have seen a ~140Khost botnet this year? -- ----- YEAH but if I wanted to do it, the best way would be behind the firewall... They would have to put in PIX 535 with GIGE and segment the network into DMZs.. HMM.. I think that if the cable modem had a built in router with NAT this problem could be solved partially.. I did a test about 6 months ago. almost a honeypot, but not quite. put a standard windows ME system on a RW IP put a $60 cable router in front of a similiar system. the ME was compromised and made into a Bot in 3 hours. The $60 router protected one was not compromised in the 2 weeks it was used. Both had AV and were updated daily via automation. IF only cable operators would at least STRESS the security issues OR make the AUP's Stick.. Some of you may have seen my emails asking for help from Charter about security issues. It took me almost 4 months to get someones attention, and then only after I brought up several ARIN and other policies they violated. I hate to say it but I don't think we will see anything change here.. And if so not enough to matter.... maybe from 140K to 120K anyway I am ranting... J
McBurnett, Jim wrote:
if *all* dsl and cablemodem plants firewalled inbound SYN packets and/or only permitted inbound UDP in direct response to prior valid outbound UDP, would rob really have seen a ~140Khost botnet this year?
In a sense, I would agree with you. The best method for what you describe is, of course, NAT. However, I can think of a lot of protocols that won't work with it properly. While a large portion of the userbase doesn't notice, vendors trying to put out products with these protocols do notice and their technologies are delayed as a result. In addition, your logic will not stop bots installed via email. It doesn't have to be a worm. Enough end users will click the exe themselves despite the fact they have no clue what it is or who it's from. They are curious, so they open it. Each week, I have to explain to a user who's account I suspended that curiousity killed the cat. I Gigs of executables from email to help protect the majority of our user base, and yet they go to some webmail provider to get infected or just sit on irc or accept files across instant messenger. So much for network security. Now they have a bot sitting behind NAT with a source started irc uplink for commands. It's a good thing my network is multi-staged spoof protected both ways. -Jack
participants (2)
-
Jack Bates
-
McBurnett, Jim