DDoS Attacks Traced to UCSB, Stanford

michael.creasy writes, "BBC Online reports that the DDoS attacks have been traced to California." The article says there is no evidence that employees or students at Stanford or the University of California at Santa Barbara [UCSB] were connected with the attacks - they were just "zombie" sites - but that the FBI is now zeroing in on California and Oregon as the region from which the attacks most likely originated.

This problem is fixable (again)

[Animats]

As I pointed out previously, this problem is fixable, despite stupid press reports to the contrary. Protective measures against SYN flooding were developed back in 1997, but unfortunately, the two open-source patches developed, for BSD and Linux, weren't of good enough quality to deploy widely and leave on all the time. That could be easily fixed with a few days work by competent people. Presumably that work will get done now.

Once you stop SYN flood attacks, and have the fixes in for stupid bugs like the "Ping of death" and IP broadcast packet expansion, everything else that can happen has a reachable IP address associated with it. Those attacks are traceable back at least one level, and you can make them ineffective by imposing some kind of quota system or block based on source IP address at various levels of the server. Web servers like Apache might need to be smartened up a bit so they don't choke when a huge number of requests come in from the same IP address (and that mechanism needs to know about major proxy servers like AOL), but that's not too tough.

The key points to understand are this:

• There are technical fixes to these vulnerabilities. We're talking weeks of work on a few specific pieces of software, not re-engineering the whole Internet.
• We don't need a massive FBI presence, $2 billion, or Presidential involvement to fix the problem.
• Journalistic coverage of this event has grossly overstated the problem.

John Nagle / Menlo Park, CA