[52956] in North American Network Operators' Group
Re: More federal management of key components of the Internet needed
daemon@ATHENA.MIT.EDU (Michael.Dillon@radianz.com)
Thu Oct 24 05:39:38 2002
To: nanog@merit.edu
From: Michael.Dillon@radianz.com
Date: Thu, 24 Oct 2002 10:38:06 +0100
Errors-To: owner-nanog-outgoing@merit.edu
> Hardly. They have a hard enough time passing information from one squad=20
to
> another within the FBI, they're never going to be able to survive and
> interoperate in the Information Age against high-tech threats that move=20
at
> packet speed. And don=B9t get me started about Infragard.....ugh...
What government fails to realize is that this is war. In a combat=20
situation, you have to rely on the skill and the initiative of front-line=20
troops to win the battle, not generals and certainly not politicians. It=20
is true that generals and politicians can win wars, but they do this by=20
making the battles irrelevant, i.e. negotiating the surrender of the=20
enemy. However, the war we are involved in is against a disorganized enemy =
who has no politicians of his own and who probably doesn't even have any=20
generals. Since there are no hacker politicians to negotiate with,=20
political action has little chance of being effective. And since there are =
no hacker generals making sweeping strategic decisions, there is not much=20
for an organization like the FBI or NIPC to do.
The best strategic action that government and crimefighting groups can=20
take is to encourage and support the front-line troops to go out there and =
fight the enemey. Battles are won by persistence, rapidly adapting to the=20
fluid situation and quick decision making on or near the front-lines.=20
That's why the existing communications channels and information sharing=20
tools used by network operators are superior to Infragard or anything that =
the FBI or NIPC could think up. They are used to the slow plodding=20
post-mortem analysis of crimes that have been committed. Their goal is=20
only to catch the perp. However, on the net, we are more concerned with=20
mitigating the damage of an attack while it occurs and removing newly=20
discovered vulnerabilities as soon as possible.
I think a lot of the debate about infrastructure protection would=20
evaporate if we would be clearer about the goals of the different parties=20
and we would recognize that different goals require different means. The=20
FBI can manage their own program to catch perps who attack the=20
infrastructure while we can manage our program to quickly react to an=20
attack in real time, i.e. fight the front-line battles.
Perhaps we need to better document the times when the net community was=20
successful in dealing with an attack and analyze what was good and should=20
be kept versus what was bad and could be improved. One incident that I=20
recall was the wave of SYN flood attacks that led to various OS kernels=20
being hardened against such an attack. At the time I was on both the NANOG =
list and the firewalls mailing list. I crossposted several messages=20
between the two lists so that both communities would see the full picture=20
and so that both groups could work together to win that one battle over a=20
period of two or three days. The end result was not to eliminate SYN=20
floods but we did mitigate the attacks so that nowadays you cannot knock=20
out a server with a low-bandwidth stream of SYN packets.
--Michael Dillon
