[69434] in North American Network Operators' Group
Re: Packet anonymity is the problem?
daemon@ATHENA.MIT.EDU (Owen DeLong)
Sun Apr 11 13:26:39 2004
Date: Sun, 11 Apr 2004 10:25:52 -0700
From: Owen DeLong <owen@delong.com>
To: Iljitsch van Beijnum <iljitsch@muada.com>,
Yann Berthier <yb@sainte-barbe.org>
Cc: nanog@merit.edu
In-Reply-To: <2B58A8E0-8BA2-11D8-8702-000A95CD987A@muada.com>
Errors-To: owner-nanog-outgoing@merit.edu
--==========8DDA04B1DB2316C77D88==========
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
> You make two assumptions:
>
> 1. denial of service requires compromised hosts
> 2. good code prevents hosts from being compromised
>
> I agree that without zombies launching a significant DoS is much more
> difficult, but it can still be done. Also, while many hosts run insecure
> software, the biggest security vulnerability in most systems is the
> finger resting on the left mouse button.
>
Prior to Windows I would have agreed with you. However, with the advent
of Windows, I think insecure software has surpassed the user as a source
of problems. This is not based on a belief that users have gotten any
better, but, rather that software is significantly worse.
> Also, waiting for others to clean up their act to be safe isn't usually
> the most fruitful approach.
>
This is very true. However, education and encouragement of others to fix
their insecure systems is a worth-while endeavor, and, the reality remains
that if we could find a way to solve that issue, it would significantly
reduce today's DDOS and SPAM environment.
>> While it can sound a bit theorical (to hope that the "others" will
>> run secure code), as the vast majority of users run OSs from one
>> particular (major) vendor, an amelioration of said family of OSs
>> would certainly benefit to all. Just think about all the recent
>> network havocs caused by worms propagating on one OS platform ...
>
> I'm not all that interested in plugging individual security holes. (Not
> saying this isn't important, but to the degree this is solvable things
> are moving in the right direction.) I'm much more interested in shutting
> up hosts after they've been compromised. This is something we absolutely,
> positively need to get a handle on.
>
I think both efforts are necessary and worthy.
Owen
--=20
If this message was not signed with gpg key 0FE2AA3D, it's probably
a forgery.
--==========8DDA04B1DB2316C77D88==========
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)
iD8DBQFAeX+hn5zKWQ/iqj0RAvgtAJ9tHCl2J/aZPUX71//hBuwM2s3j9wCfdFLi
YmHW+8+W9iyF2m6ugLIlYsE=
=Zh7z
-----END PGP SIGNATURE-----
--==========8DDA04B1DB2316C77D88==========--
