[60102] in North American Network Operators' Group
RE: WANTED: ISPs with DDoS defense solutions
daemon@ATHENA.MIT.EDU (McBurnett, Jim)
Thu Jul 31 17:57:45 2003
Date: Thu, 31 Jul 2003 17:54:27 -0400
From: "McBurnett, Jim" <jmcburnett@msmgmt.com>
To: "Paul Vixie" <vixie@vix.com>, <nanog@merit.edu>
Errors-To: owner-nanog-outgoing@merit.edu
Paul Vixie said:
lots of late night pondering tonight.
the anti-nat anti-firewall pure-end-to-end crowd has always argued in
favour of "every host for itself" but in a world with a hundred million
unmanaged but reprogrammable devices is that really practical?
if *all* dsl and cablemodem plants firewalled inbound SYN packets and/or
only permitted inbound UDP in direct response to prior valid outbound =
UDP,
would rob really have seen a ~140Khost botnet this year?
--=20
----- YEAH but if I wanted to do it, the best way would be behind the =
firewall...
They would have to put in PIX 535 with GIGE and segment the network into =
DMZs..
HMM.. I think that if the cable modem had a built in router with NAT
this problem could be solved partially..
I did a test about 6 months ago. almost a honeypot, but not quite.
put a standard windows ME system on a RW IP
put a $60 cable router in front of a similiar system.
the ME was compromised and made into a Bot in 3 hours.
The $60 router protected one was not compromised in the
2 weeks it was used.
Both had AV and were updated daily via automation.
IF only cable operators would at least STRESS the security=20
issues OR make the AUP's Stick..
Some of you may have seen my emails asking for help from=20
Charter about security issues.
It took me almost 4 months to get someones attention,=20
and then only after I brought up several ARIN and other=20
policies they violated.
I hate to say it but I don't think we will see anything change here..
And if so not enough to matter....
maybe from 140K to 120K
anyway I am ranting...
J
