DoS Attacks Persisting, On The Rise

thelizman writes "One of the most basic "hacks" (to use the media's bastardization of the term) is a Denial of Service attack. While not getting you any access to data on a machine, DoS attacks effectively shut down machines by making them inaccessable to others. CNN is carrying and IDG.net story about how DoS attacks are still one of the leading threats on the Internet, and are actually on the rise as the sophistication of the attacks increases." We get them constantly- some intentional, some not. It's really a pain.

DoS sucks

[El+Volio]

Having been on of the admins for a pretty large website (top 50 according to Media Metrix), I can definitely state that DoS attacks are a royal pain. Sure, you can throw infrastructure at a problem and alleviate it, but you can't defeat it -- and they just keep coming. It's the type of attack I've never understood: it doesn't gain the attacker anything (unlike rooting a box), it's nothing but being a hoodlum.

EGRESS FILTERS are STILL not implemented by ISPs

[Medievalist]

/.
Best Current Practice recommends egress filtering for all networks. Are yours in place?

The big problem with DOS and DDOS is the untraceability provided by networks who do not prevent address spoofing with egress filters. If traffic is traceable, criminals get caught.

Before anyone's knee jerks, let me point out:

1) this is not a performance issue. Routing hardware and software (LRP for example) is widely and cheaply (compared to line costs) available that can implement egress filtering without any noticeable effect on line speed. Face it, processors are faster than telecommunications.

2) Egress filters do not improve a repressive regime's ability to finger political dissidents.

3) Egress filters are unlikely to impact privacy - unless what you are trying to keep private is destructive activity. Post a real example if you disagree.

4) I know it's not a cure-all. It's a necessary first step, though.

While Congress milks the entertainment industry for campaign funds in exchange for "digital rights management" facism, they ought to be mandating specific monetary penalties for businesses that do not implement egress filters, and for ISPs that do nothing about hundreds of Code-Red infected nodes on their cable farms. I shouldn't have to pay Comcast if my bandwidth is being principally used by criminals to fill my firewall logs.

I post this every time the subject comes up; next time I'll just make a flippin' link to the BCP RFCs. I'm sure you'll all be relieved.

--Charlie

Re:Wait until..

[Liquor]

The Kazaa and Gnutella networks are protocols.

No, they are many computers running programs that implement protocols.

Protocols can't catch viruses.

True. Unfortunately, the Kazaa program installs more than one protocol handler - one is the file sharing protocol itself, and another is a 'distributed computing' facility that allows (theoretically only the Kazaa servers, but...) remote control of the machine. Compromising this functionality would allow distributing malware through the entire network.

Now if you're talkinga 'bout attacking specific flaws in Kazaa client software, or Gnutella software, then so be it - but that's not the network!

Well, if you infect all the machines that make up a network using a flaw in the code that creates that network, I'd have to say that the network is infected. And if there is an attack that works on any client, then the first machine compromised already knows the addresses of more machines... worm code that uses the network topology (which is NOT the protocol) could then propagate to the entire network - potentially millions of machines, dwarfing the scale of even the 'code red' worm.

And if that's not effectively spreading through the network, I don't know what would be.

Moderate this fool back to 1.

The parent of your post is not the fool - but you definitely failed to understand the post.