dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
share rss forum feed
« Remote Remove
This is a sub-selection from Open can of worms


tubbynet
reminds me of the danse russe
Premium,MVM
join:2008-01-16
Chandler, AZ
kudos:1

1 edit
reply to jjoshua

Re: Open can of worms

said by jjoshua:

I guess that even wikipedia is wrong: »en.wikipedia.org/wiki/Denial-of-···e_attack
its not wrong -- there are multiple variations of a ddos attack. sure -- the addresses can be spoofed, but there are a lot of knobs available that allow a provider to drop this weird traffic (i.e. inbound to your own autonomous system, sourced with your own netblock address; as_path lists not correlating; etc.). these knobs prevent a good share of this traffic on a properly configured edge ingress router.

If you're telling me that my ideas suck, then what do you propose?
they don't *suck*. they lack information on what is out there and what is being done to prevent ddos and botnets now. if cable modems become more intelligent -- your idea could work. however, there will always be the tinfoil hat crowd that wants all traffic unfiltered -- ignoring the fact that with personal freedom comes personal responsibility. it is the job of the provider/carrier to manage traffic in the best way possible to enhance the experience of all customers. i am for intelligent and transparent network management, whether that be placed on the customer or the carrier.

Firewalls keep out intruders but what can we do to enhance them to detect when we are sending out malicious traffic?
they can -- and many do. my personal web gateway device is a cisco 2821 isr. its running a sizeable chunk of ips/ids definitions that inspect traffic inbound and outbound. i've put similar appliances in customer networks (ips 4200-series from cisco) and have also done a smaller "ips card" for a cisco asa5500-series firewal in smaller customer sites. these devices update definitions and allow granular selection of exploits to be tracked and the actions taken on each definition. the issue is that these devices are (a) often complex to set up (b) require the customer to understand the exploits and what is needed or not (or pay a contractor to manage this device for them) and (c) balance the security requirements with the performance hit (only a worry in high-speed networks). additionally, this is not something that is always going to "drop in" to a customer network -- especially due to the cost and care needed in configuration. sure -- something like this could be dropped into a cable modem, but would you want to pay upwards of $800+ for your previously $50 motorola cable modem?

Could firewalls all work with each other to identify similar malicious traffic and then filter the offenders?
yes -- but then you have to establish policy and trust zones between customers, providers, and transit carriers. while many of the aforementioned entities have similar goals when it comes to internet acces -- the specifics on policy may not line up. additionally, if you have fractured trust zones, you open the door for traffic to slip through the cracks. it comes down to a "gentleman's" agreement that everyone does what they need or deem appropriate and if those policies are not followed, mitigation in the best way possible must be done. this is why it often takes time for the interwebs to calm down in a given sector after a some sort of ddos/botnet attack.

its not a clear cut problem to solve. this is why i applaud comcast in providing a transparent solution to an issue that affects us all in some way or another; they are trying to take a step in the right direction.

q.

[edit] having trouble typing today. apparently.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."


jjoshua
Premium
join:2001-06-01
Scotch Plains, NJ
kudos:3
Reviews:
·Verizon FiOS
This part of the discussion got a little bit off topic. However, I think that I was correct when I suggested that comcast COULD build a network where one user's lack of security wouldn't affect other users.

It might require additional technology and resources but it could be done. Thanks for helping me to make my point.


tubbynet
reminds me of the danse russe
Premium,MVM
join:2008-01-16
Chandler, AZ
kudos:1
said by jjoshua:

This part of the discussion got a little bit off topic. However, I think that I was correct when I suggested that comcast COULD build a network where one user's lack of security wouldn't affect other users.
you seem to think that comcast operates in a vacuum. this is not the case. what you are suggesting would take a huge cooperative effort between a large number of carriers and providers. even then -- it would not be foolproof and there are many other issues that plague a carrier that would cause something like this to be an issue. in my mind -- you are making a huge deal over something comcast is trying to handle with this system. however, if every problem begins to look like a nail....

q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."