Date: Tue, 28 Mar 2000 22:40:09 -0600 From: Troy Kittrell <troyk@basspro.com> To: Rowan Crowe <rowan@sensation.net.au> Cc: freebsd-isp@FreeBSD.ORG Subject: Re: DoS attacks Message-ID: <38E18929.B31C44E7@basspro.com> References: <Pine.BSF.4.01.10003291358330.4598-100000@velvet.sensation.net.au>
next in thread | previous in thread | raw e-mail | index | archive | help
Rowan Crowe wrote: > On Wed, 29 Mar 2000, Enno Davids wrote: > > > The real fix is for everyone to make sure their sites are secure. These > > attacks are all built on compromising other people's systems as platforms > > to launch the attack on third parties. The victim is attacked by systems > > which have themselves been hijacked to that purpose and hence the real fix > > is to prevent the hijacking to begin with. > > I'll make a sweeping generalisation here... > > Probably most of the people on this list are well aware of even basic > security issues and have their boxes reasonably secure. Agreed... > > > It's the people who "click here to install Linux RH 5.1" that are the > problem! :-( Not just home users hanging off a 56k modem, either... > I would beg to differ here. Experience has taught me that "clicking a button" with _any_ form of FreeBSD install is far more likely to result in a useful (translated to vulnerable) system than Linux install FreeBSD, while being so much more secure from the ground up than Linux (IMHO) is still just as prone to stupid human errors as Linux is. > > Getting every box secure would be even more difficult than something which > is already impossible - every ISP blocking spoofed packets and not > permitting them to reach the outside world. It seems to me that this could only be accomplished by a total commitment from every back-bone provider. Would/could this not be a provision of some sort of QOS agreement? > > > On that note, here's a simple ipfw set of rules for a single IP block: > > ipfw a nnn deny log ip from x.x.x.x to any in via iface > # disallow packets IN which have one of our IPs - external spoof > > ipfw a nnn allow ip from x.x.x.x to any out via iface > # permit packets OUT which originate from one of our IPs - valid > > ipfw a nnn deny log ip from any to any out via iface > # disallow packets OUT which *don't* originate from one of our IPs - > internal spoof > > Of course this will become much more complicated with more IP blocks, > multiple POPs, transit for other ISPs etc passing through. > > I have rules similar to the above on both my transit and customer links > (in the latter case, the first rule is not used) woulda, coulda, shoulda. I feel that the problem here is that there are too many (possible) DoS clients out there on networks that aren't held accountable. Until there is some definite financial responsibility/liabilty, there vulnerable client DoS systems will exist, and you and I (and yahoo.com) will have to deal with them. As long as the person(s) responsible for these vulnerable systems can show up in court and say "gee Your Honour, I didn't know that could happen, I've already started fixing it," no one will pay the price but the targets of the attacks. Once again, IMHO. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?38E18929.B31C44E7>