[163579] in North American Network Operators' Group
Re: chargen is the new DDoS tool?
daemon@ATHENA.MIT.EDU (Rich Kulawiec)
Wed Jun 12 06:32:49 2013
Date: Wed, 12 Jun 2013 06:32:25 -0400
From: Rich Kulawiec <rsk@gsp.org>
To: nanog@nanog.org
In-Reply-To: <op.wyjlf2o6tfhldh@rbeam.xactional.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
I'm going to bypass the academic vs. non-academic security argument
because I've worked everywhere, and from a security viewpoint, there
is plenty of fail to go around.
On Tue, Jun 11, 2013 at 09:37:04PM -0400, Ricky Beam wrote:
> I run a default deny
> policy... if nothing asked for it, it doesn't get in.
This is a fine thing and good thing. But as you've expressed it here,
it's incomplete, because of that last clause: "it doesn't get in".
For default-deny to be effective, it has to be bidirectional.
Please don't tell me it can't be done. I've done it. Repeatedly.
It's a LOT of work. (Although progess in toolsets keeps making it easier.)
But it's also essential, since your responsibility is not just to defend
your operation from the Internet, but to defend the Internet from your
operation.
---rsk
