[e2e] Re: crippled Internet
David P. Reed
dpreed at reed.com
Thu Apr 19 22:32:26 PDT 2001
DDoS prevention should only become common if DDoS detection and removal
costs more than the prevention (in aggregate). My contention is that the
net can easily apply a tourniquet to the wounded limb (all you have to do
is stop routing traffic to the target of the attack), trace back and clean
up. Compared to constant overhead of middleboxes and filters that's great.
It's analogous to the idea that the air terrorists have won, by forcing
everybody entering the airport to submit to (unconstitutional? certainly
unreasonable) searches without probable cause. A huge cost, even if it is
small for each individual.
Since mass murder is more heinous by far than taking Microsoft down for a
while very infrequently, it seems to me that asking each user to suffer
denial of service (port restrictions, ...) because of the concern about a
few hackers is bad.
Remember, if the same guys keep attacking MS over and over again the same
way, they WILL get caught. So any countermeasure implemented becomes
obsolete immediately, encrusts the network forever, and pushes the bad guys
to do something you didn't block. So you keep punishing your good users
more and more, and never catch the bad guys.
This is what happened with "security kernels" in the US military computer
security projects. The multi-level security model worked perfectly, but it
made doing everyday work impossible for the people who needed to get things
done to fight the war. Perfect prevention seems to be less robust than a
system that is less perfect, but more flexible.
At 09:56 AM 4/19/01 -0700, Ted Faber wrote:
>On Thu, Apr 19, 2001 at 05:23:34PM +0100, Lloyd Wood wrote:
> > On Wed, 18 Apr 2001, Ted Faber wrote:
> > > Unless I've misunderstood you, you're going to charge my Mom if her
> > > Windows box gets hacked and used in a DoS attack on Yahoo.
> > If the traffic generated by Mom's Windows box has a faked source
> > address, someone else could end up paying for the traffic Yahoo
> > generates (in good faith) in return.
>That seems to be a potential outcome of the proposal. I can't tell if
>you think that's good, bad, or indifferent.
>I agree that computers hijacked for DoS impose real costs on other
>users. I don't think that the burden of securing them using current
>technology can reasonably be placed on users. It's more reasonable to
>have someone indemnify the ISPs (Internet malpractice insurance, if
>you will) and have them pass that cost indirectly to users. Such an
>insurer will make ISP requirements, etc. And obviously, if a user
>decides to surf uninsured when such insurance is available, then
>they're personally liable.
>Right now there are too few choices for non-experts to secure their
>machines and non-experts are the majority of users. It's unreasonable
>to make them financially responsible.
More information about the end2end-interest