[e2e] Re: crippled Internet

[David P. Reed]

DDoS prevention should only become common if DDoS detection and removal 
costs more than the prevention (in aggregate).  My contention is that the 
net can easily apply a tourniquet to the wounded limb (all you have to do 
is stop routing traffic to the target of the attack), trace back and clean 
up.  Compared to constant overhead of middleboxes and filters that's great.

It's analogous to the idea that the air terrorists have won, by forcing 
everybody entering the airport to submit to (unconstitutional? certainly 
unreasonable) searches without probable cause.  A huge cost, even if it is 
small for each individual.

Since mass murder is more heinous by far than taking Microsoft down for a 
while very infrequently, it seems to me that asking each user to suffer 
denial of service (port restrictions, ...) because of the concern about a 
few hackers is bad.

Remember, if the same guys keep attacking MS over and over again the same 
way, they WILL get caught.   So any countermeasure implemented becomes 
obsolete immediately, encrusts the network forever, and pushes the bad guys 
to do something you didn't block.  So you keep punishing your good users 
more and more, and never catch the bad guys.

This is what happened with "security kernels" in the US military computer 
security projects.  The multi-level security model worked perfectly, but it 
made doing everyday work impossible for the people who needed to get things 
done to fight the war.  Perfect prevention seems to be less robust than a 
system that is less perfect, but more flexible.

At 09:56 AM 4/19/01 -0700, Ted Faber wrote:
>On Thu, Apr 19, 2001 at 05:23:34PM +0100, Lloyd Wood wrote:
> > On Wed, 18 Apr 2001, Ted Faber wrote:
> > > Unless I've misunderstood you, you're going to charge my Mom if her
> > > Windows box gets hacked and used in a DoS attack on Yahoo.
> >
> > If the traffic generated by Mom's Windows box has a faked source
> > address, someone else could end up paying for the traffic Yahoo
> > generates (in good faith)  in return.
>
>That seems to be a potential outcome of the proposal.  I can't tell if
>you think that's good, bad, or indifferent.
>
>I agree that computers hijacked for DoS impose real costs on other
>users.  I don't think that the burden of securing them using current
>technology can reasonably be placed on users.  It's more reasonable to
>have someone indemnify the ISPs (Internet malpractice insurance, if
>you will) and have them pass that cost indirectly to users.  Such an
>insurer will make ISP requirements, etc.  And obviously, if a user
>decides to surf uninsured when such insurance is available, then
>they're personally liable.
>
>Right now there are too few choices for non-experts to secure their
>machines and non-experts are the majority of users.  It's unreasonable
>to make them financially responsible.
>
>