ietf-mxcomp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: DDOS attacks

2004-06-29 17:33:13
from [Gordon Fecyk] [Permanent Link] 


It seems to me the DDOS attacks we have reviewed so far
pretty much boil down to:

SECURITY CONSIDERATIONS


Looking at this from a purely administrative point, I question this entire
e-mail.


  We take it as a given that malicious entities control
  large distributed networks of 0wned machines, in the six
  to eight figure range.  These machines are compromised
  workstation-grade machines that belong to ordinary
  end-users on broadband connections.  They are generally
  referred to as zombies.


First and foremost, what can a pack of zombie machines do to this system that
they can't already do to other systems?  Flood e-mail?  Perform repeated DNS
lookups?  Ping the hell out of mail servers or DNS servers?


  The most elegant way to mount such an attack is to
  contrive a scenario in which the technology itself plays a
  part in the resulting denial of service.  If the attack
  does not affect those who do not adopt the technology, and
  only hurts those who do adopt the technology, it gives
  adopters incentive to abandon the technology.  Such an
  auto-targeting attack can be easily executed using zombie
  networks.


Al Capone of Cyberspace.  "Don't even think of doing this or we'll hurt you."

That's like telling me not to use Internet Explorer just because you know how
to exploit flaws in it.  Or Outlook.  Or any other big name product or
technology.  Yet here I am sitting at my desk with the two most dangerous
pieces of software on my computer running at the same time, without
anti-virus software running even, and I'm not affected by the current
garbage.  Or the recent garbage.  Or the earlier garbage.  Or the garbage
that is yet to come.  So 180solutions knows how to install spyware behind
peoples' backs.  Big deal - doesn't work if the user can't install anything
to begin with (such as on a 2K or XP box with a limited user).

Steve Gibson preached to Microsoft pleading not to enable Raw Sockets support
in Windows XP.  His network was attacked as a result of his ranting - not
with r00ted XP boxes exploting raw sockets - but with a plain and simple
traffic flood.  Yet he maintains TO THIS DAY that Microsoft doomed the
Internet SOLELY because of this technology.

Bugs and flaws in MARID are going to be the least of your worries when Al
Spampone tells you not to use it or else, as you explained later on.


  Both the elegant and the brute-force attacks are feasible
  against any open protocol.  The only way to avoid these
  attacks completely is to retreat to a "private club"
  model, in which nodes do not communicate with other nodes
  if they have not previously established a trust
  relationship.

  A midway position between total openness and a "private
  club" involves the use of reputation services.  If a
  protocol endpoint tests new connections against a
  reputation service before engaging more deeply in protocol
  operation, attacks can be mitigated.


I disagree wholehartedly here.  Technologies can and do function - often
better - in an open environment.  PGP is my favorite example here, because
there's a lock where you know how the mechanism works, yet it is still
extremely difficult to break.  A strong lock, indeed.  Sure it _had_ bugs.
They got fixed.

Security by obscurity, or by reputation, is just going to hide problems until
they're discovered far too late.  Ironically, we don't have to look past our
own desktops to see examples.

Now do we have anything to hide here?

Here's another example: I'm supposedly a fool for leaving my Win2K AD
domain's primary DNS server exposed to the Internet.  Sure I'm firewalling
and port-forwarding everything I need, and if you poked around long enough
you'd discover my entire internal AD structure.  But what can you do with it?
You know my services' CSIDs (I think that's what they're called) but since
you can't talk to it through SMB or NetBIOS you're SOL.

And when MARID records begin to appear on my domain you're going to know
where my authorized SMTP clients will be.  So what?  None of those IPs or
hostnames are yours and unless you r00t my boxes they never will be.

-- 
PGP key (0x0AFA039E): 
<http://www.pan-am.ca/consulting(_at_)pan-am(_dot_)ca(_dot_)asc>
Sometimes it's hard to tell where the game ends and where reality bites,
er, begins. <http://vmyths.com/resource.cfm?id=50&page=1>
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Sender ID and CSV are complimentary (long - sorry) (was: Unified SPF overlaps with CSV), Roy Badami
Next by Date:  RE: DDOS attacks, Roy Badami
Previous by Thread:  Reminder: three posts daily limit, Greg Connor
Next by Thread:  RE: DDOS attacks, Roy Badami
Indexes:  [Date] [Thread] [Top] [All Lists]