[69445] in North American Network Operators' Group
Re: Packet anonymity is the problem?
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Sun Apr 11 19:10:14 2004
From: "Steven M. Bellovin" <smb@research.att.com>
To: Iljitsch van Beijnum <iljitsch@muada.com>
Cc: Sean Donelan <sean@donelan.com>, nanog@merit.edu
In-Reply-To: Your message of "Sun, 11 Apr 2004 10:32:33 +0200."
<C7AA377F-8B92-11D8-8702-000A95CD987A@muada.com>
Date: Sun, 11 Apr 2004 19:09:14 -0400
Errors-To: owner-nanog-outgoing@merit.edu
In message <C7AA377F-8B92-11D8-8702-000A95CD987A@muada.com>, Iljitsch van Beijn
um writes:
>
>
>> Bellovin compared the situation to bank robberies. "[S]treets,
>> highways
>> and getaway cars don't cause bank robberies, nor will redesigning
>> them
>> solve the problem. The flaws are in the banks," he said. Similarly,
>> most
>> security problems are due to buggy code, and changing the network
>> will
>> not affect that.
>
>Ok, then explain to me how removing bugs from the code I run prevents
>me from being the victim of denial of service attacks.
>
That's where my analogy breaks down -- but you're being victimized
largely because of bugs in code other people run. I stand by my
statement: most of the security problems we have on the
Internet are due to buggy code. (If you want to stretch the analogy,
imagine a bogus newspaper report that stimulates uncritical readers to
withdraw their money. It's called a run on the bank, and it's every
bit as much a denial of service issue as excess packet floods -- bank
runs are transaction rates much greater than what the (financial)
system was designed to handle. And when they're triggered by false
rumors -- well, you get the picture, and my metaphors are stretched too
thin as is.)
--Steve Bellovin, http://www.research.att.com/~smb
