Paul Vixie On the Unevenly Distributed Intelligence of Internet Infrastructure

CowboyRobot writes "Writing for ACM's Queue magazine, Paul Vixie argues, "The edge of the Internet is an unruly place." By design, the Internet core is stupid, and the edge is smart. This design decision has enabled the Internet's wildcat growth, since without complexity the core can grow at the speed of demand. On the downside, the decision to put all smartness at the edge means we're at the mercy of scale when it comes to the quality of the Internet's aggregate traffic load. Not all device and software builders have the skills and budgets that something the size of the Internet deserves. Furthermore, the resiliency of the Internet means that a device or program that gets something importantly wrong about Internet communication stands a pretty good chance of working "well enough" in spite of this. Witness the endless stream of patches and vulnerability announcements from the vendors of literally every smartphone, laptop, or desktop operating system and application. Bad guys have the time, skills, and motivation to study edge devices for weaknesses, and they are finding as many weaknesses as they need to inject malicious code into our precious devices where they can then copy our data, modify our installed software, spy on us, and steal our identities."

fb

[hachikyu]

fb.

Re:fb

yes

Benner madnes on slashban

Its not that the beta is horrid on top of that now you get spammed with mega banners and popups, what is this 2001? all over again? Is slashdot really dieing. You guys need to make your mind.

As of now on slashdot you need to have No Script running plus at least Addblock, also block the shitty flash too.

This may be actually time to start looking around, anyone interested starting slashdot 2?

 

Re:Benner madnes on slashban

[philip.mather5551]

Crowd-funded development of an open platform to replace Slashdot with 1, 2, 3 and 4 digit UIDs as rewards?

Re:Benner madnes on slashban

http://www.altslashdot.org/

Re:Benner madnes on slashban

[fisted]

HTML. Do you speak it?

Re:Benner madnes on slashban

[runeghost]

Already underway. http://www.altslashdot.org/

Re:Benner madnes on slashban

[rudy_wayne]

I made the mistake of trying the Slashdot Beta. What horrid shit.

Seriously. What kind of retarded fuckwad thinks that it is a good design.

Where does Slashdot fit in this theory?

I think that Slashdot is a perfect rebuttal to this theory.

The existing site, while not perfect, is far closer to the "core" of the Internet than it is to the "edge". Yet despite its shortcomings, it's actually a very usable and practical site. We can easily engage in discussion here, for example. It's anything but "stupid". It's quite smart and pragmatic.

Then we have the Slashdot beta site. It's obvious at the "edge" of the Internet, so to speak. Yet it is not "smart". As anyone who has used it will know quite well, it is as dumb as it could possibly be. It's so broken and awful in so many irreparable ways. It makes it damn near impossible to read the content here, and even more difficult to participate in discussions. It's a failure, and best categorized as "stupid".

So I don't totally buy this theory. I think that the "core" is often the "core" because it's the smartest or best way of doing something. What we find floating at the "edges" is crap, like the Slashdot beta site. It's at the "edge" because it's nothing more than a turd that has been flung away from civilization.

Classic Slashdot

[dknj]

I'm sorry, this is off topic, but I was getting a warning at the top of Slashdot that classic is going to be going away soon (looks like in 6 months).

How many readers are going to leave if slashdot classic is cut off completely?

Re:Classic Slashdot

[umafuckit]

How many readers are going to leave if slashdot classic is cut off completely?

Good question. Maybe Timothy should set a poll?

Re:Classic Slashdot

How many readers are going to leave if slashdot classic is cut off completely?

Since d2, /. is barely usable anyway. I don't think it'll be possible for users like me who choose to disable javascript to continue visiting should the site undergo any further "improvements".

Re: Classic Slashdot

[AmazingRuss]

You'll all tell the poll you're leaving, but come back every day to complain.

Re:Classic Slashdot

[umafuckit]

"Insightful"? "Interesting"? "Off-topic"? Come one guys! I was hoping for at least one "Funny"

Re:Classic Slashdot

[kbahey]

Dice's management have already made up their mind, and they are determined to kill Classic Slashdot. They may entertain some changes to the beta, but they will not kill it.

They will not setup a poll, because they have already decided. Done deal.

The part I am not sure of, is: do they know the extent of revulsion against beta? Or are they just chalking it up to a vocal minority, trolls, and whatnot?

Re:Classic Slashdot

Probably ALL of the ACs and casual work/home browsers like my self.

It's TCP/IP, baby.

It's just the way TCP/IP was designed, back in the ARPANET days, you know.
Putting all the intelligence in the hosts allows for more resiliency, since it takes a lot to the bring the whole infrastructure down this way.
Mobile networks are quite the opposite, though (smarter infrastructure, a little more dumb terminals).
Software defined networks are definitely a way to bring some intelligence back in the infrastructure of IP networks.
We'll see if it will enable a smarter Internet or not.

Re:It's TCP/IP, baby.

[fuzzyfuzzyfungus]

Probably more than resilience, moving the intelligence to the edges of the network allowed for innovation. It's not as though POTS is a quagmire of reliability issues (indeed, it stacks up pretty well compared to any internet connection not expensive enough to have a proper SLA); but it's an ossified wasteland because essentially any change had to run the gauntlet of "Is it worth making the necessary modifications and upgrades to the intelligence at the center of the network and will doing it make AT&T more money?" If something new couldn't be squeezed through the network as though it were a voice call, or officially blessed by Ma Bell (as with 1-900 numbers and billing for them), it just didn't happen. Even with the introduction of mobile phones, and the opportunity to hammer out huge swaths of new spec, they added what, SMS? Virtually all the features of today's "phones", with the exception of voice calls and maximum-compatibility SMS snippets have gone IP because that is where the versatility is.

With intelligence at the edges, if you want something done, all you need is two or more endpoints with the right software and there you are. This goes for malice as well, of course, which is part of why the internet is kind of a rough neighborhood; but it's also why IP-based capabilities have changed so radically, while systems with more centralized intelligence have largely stagnated(even more impressive 'dumb endpoint' arrangements, like Minitel, have been eclipsed).

Re:It's TCP/IP, baby.

[skids]

Putting all the intelligence in the hosts allows for more resiliency, since it takes a lot to the bring the whole infrastructure down this way.

It's the way to go. Any intellegence added to the core should merely be simple tweaks to enable more intelligence at the edges. For example, one might plausibly argue that making core routers select second/third most-preferred destination routes for a packet based on a TTL % on IP packets would allow end-systems to experimentally find the fastest performing route through the internet by trying different values on their TTLs/option fields. One could not reasonably argue for expecting core devices to maintain per-connection or even per-client/netblock state in an attempt to find alternate routes for each client connection.

Software defined networks are definitely a way to bring some intelligence back in the infrastructure of IP networks. We'll see if it will enable a smarter Internet or not.

From what I've seen of SDN it's a bunch of people who think they can abstract network services in a simple model, but who have no compreshension of the intrinsic differences in the heterogeneous mixture of devices employed, so they haven't even scratched the surface of being able to build a taxonomy/capabilities-enumeration for things like, for example, how many CAM entries are available for edge switch filters on a given switch model. Without that information, SDN applications have no way of doing any serious budgeting before launching a request into the network gear, and since the device might happily take the commands and provision a halfway-functional service that is dropping 5% of packets, rather than reject the request, and SDN has no real provisions for testing services before putting them in production, SDN is doomed to be confined to data centers where equipment has been carefully kept homogeneous.

Most people using SDN that I;'ve seen are doing so for enterprise (including server farm) LAN, not core internet.

Re:It's TCP/IP, baby.

Well, to be fair, it's easy to efficiently emulate connection-based services on a sufficiently fast connectionless network, but not so much vice-versa, eh?

I'm bleakly amused by the way Ma Bell managed to convince people they should pay extra for DTMF - even though it's been significantly cheaper for telcos to support touch-tone than pulse dialing since the 70s.

Maybe, just maybe...

[Frosty+Piss]

Paul Vixie can pontificate on the Unevenly Distributed Intelligence at Dice that has resulted in this abomination known as Beta Slashdot...

Re:Maybe, just maybe...

apparently they have infinite mod points to give everybody -1 for trash talking beta

Re:Maybe, just maybe...

[RR]

Paul Vixie can pontificate on the Unevenly Distributed Intelligence at Dice that has resulted in this abomination known as Beta Slashdot...

I don't think so. Beta Slashdot is a consequence of the idiot staff that Dice has hired to run Slashdot, considering that the headline and summary have nothing to do with Paul Vixie's argument. The quotes are taken from the article, but in a stupid way, like CowboyRobot is some sort of robot...

The article is actually about the need for the addition of minimal state to stateless protocols in order to thwart DDOS amplification techniques.

How do I disable this stupid beta shit

n/t

Re:How do I disable this stupid beta shit

http://tech.slashdot.org/comme...

Re:How do I disable this stupid beta shit

Why's the source link in the post I replied to downmodded? It works.

And if you look to your left...

We have the core of the internet, the "FUBARBeta"!

Re:And if you look to your left...

It's ok, I'll take that as a +1 :D

Re:And if you look to your left...

Liv'in on the edge...

no

g+.

Mr. Vixie's WEAK DNS design's part of why

I made this, specifically for item "B" below: Hosts do more w/ less (1 file) @ a faster level (ring 0) vs redundant browser addons (slowing up slower ring 3 browsers) via filtering 4 the IP stack (coded in C, loads w/ OS, & 1st net resolver queried w\ 45++ yrs.of optimization):

---

APK Hosts File Engine 9.0++ 32/64-bit:

http://start64.com/index.php?o...

(Details of hosts' benefits enumerated in link)

Summary:

---

A. ) Hosts do more than AdBlock ("souled-out" 2 Google/Crippled by default) + Ghostery (Advertiser owned) - "Fox guards henhouse", or Request Policy -> http://yro.slashdot.org/commen...

B. ) Hosts add reliability vs. downed or redirected DNS + secure vs. known malicious domains too -> http://tech.slashdot.org/comme... w/ less added "moving parts" complexity + room 4 breakdown,

C. ) Hosts files yield more speed (blocks ads & hardcodes fav sites - faster than remote DNS), security (vs. malicious domains serving mal-content + block spam/phish), reliability (vs. downed or Kaminsky redirect vulnerable DNS, 99% = unpatched vs. it & worst @ ISP level + weak vs FastFlux + DynDNS botnets), & anonymity (vs. dns request logs + DNSBL's).

---

* Addons are more complex + slowup browsers in message passing (use a few concurrently & see) - Addons slowdown SLOWER usermode browsers layering on MORE: I work w/ what you have in kernelmode, via hosts (A tightly integrated PART of the IP stack itself)

APK

P.S.=> * "A fool makes things bigger + more complex: It takes a touch of genius & a lot of courage to move in the opposite direction." - Einstein

** "Less is more" = GOOD engineering!

*** "The premise is, quite simple: Take something designed by nature & reprogram it to make it work FOR the body, rather than against it..." - Dr. Alice Krippen "I AM LEGEND"

...apk

Distribution of Intelligence

Yes, intelligence is very unevenly distributed on the internet. By one measure, approximately 25% of the internet audience will find a complete void of any intelligence at all. I say, fuck that.

So don't give them anything to steal

[martin-boundary]

The internet consists of hardware and software and things worth stealing. The first has long development cycles, and is more difficult to modify than the second. The second is extremely varied and full of vulnerabilties that are often easy to patch one instance at a time, but hard to patch simultaneously and comprehensively across the network. The third are things that shouldn't be accessible from the Internet in the first place, like our real names just so we can have a Google account, our credit card numbers just so merchants don't have to ask us when they want to charge us, our activity records just so we can be manipulated through ads, etc.

We can't change the first two without destroying the Internet, but there's no reason why computers should contain so much valuable information to steal.

Re:So don't give them anything to steal

Why are the vendors so fucking silent ?
Core router security ahh yeah would be kind of nice, firewall security ? any SMM platform ... yeah that too perhaps.
As for smartphones and tablets ffs.
I would understand if we were in a real war, not one on nouns.
Can someone make the actual declaration of war on #trustedsystems on behalf of the agencies please.

Stop the 'beta' redirect easily

Stop /. redirecting you to it @ least, by adding THIS to your hosts file:

216.34.181.45 beta.slashdot.org
216.34.181.45 slashdot.org
216.34.181.46 images.slashdot.org
216.34.181.48 it.slashdot.org
216.34.181.48 developers.slashdot.org
216.34.181.48 yro.slashdot.org
216.34.181.48 mobile.slashdot.org
216.34.181.48 news.slashdot.org
216.34.181.48 ask.slashdot.org
216.34.181.48 tech.slashdot.org
216.34.181.48 apple.slashdot.org
216.34.181.48 books.slashdot.org
216.34.181.48 games.slashdot.org
216.34.181.48 hardware.slashdot.org
216.34.181.48 interviews.slashdot.org
216.34.181.48 linux.slashdot.org
216.34.181.48 science.slashdot.org
216.34.181.48 idle.slashdot.org

* :)

THAT will block out their ability to redirect you to it whatsoever - Especially the 1st line item/BOLDED entry above...

(You're welcome)

APK

P.S.=> To import, sort, deduplication, create & manage a custom hosts file easily that does not only THAT shown above (plus that also secures you vs. redirects @ the DNS or even site level), but also gives you more speed, security, reliablity, & even anonymity, use this (shameless plug, details of what custom hosts give you in FULL are listed here) -> http://start64.com/index.php?o...

... apk

Re:Stop the 'beta' redirect easily

[maxwell+demon]

You forgot developers-beta, science-beta, etc.

Re:Stop the 'beta' redirect easily

Thanks apk. It really works. They minus moderate ya but can't hide ya outfoxed them with hosts.

Re:Stop the 'beta' redirect easily

[viperidaenz]

You're an idiot.

Re:Stop the 'beta' redirect easily

If he's an idiot, what are you? He supplied an easy working solution. Have you? No. You're an off topic useless troll.

Re:Stop the 'beta' redirect easily

Yeah, but he used the IP address for goat.cx, wise guy.

Re:Stop the 'beta' redirect easily

Then the ac troll's stupid. APK put up the IP address for slashdot.org in place of beta.slashdot.org and it works.

It is largely humans these days

[grantspassalan]

that are the cause of breaches and insecurities of the Internet. Long ago that was not the case, because simply connecting a computer to the Internet would get it infected with malware. Computer and browser makers have learned how to largely avoid this, but no one has yet figured out a way to prevent trusting or stupid human beings from giving permission to install programs that subsequently are able to do severe damage. This is part of human nature and will never change.

Re:It is largely humans these days

[fuzzyfuzzyfungus]

Some aspects of software security have improved; but the decline in 'just put a computer on the internet and it gets rooted in about 15 seconds' attacks, at a population level, probably owes more to the prolific spread of nasty little plastic NAT boxes.

Those things are hardly real security(and more than a few have shipped with nasty flaws of their own); but they do tend to eat unsolicited inbound traffic pretty enthusiastically, which has really cut down on the number of totally helpless computers that end up being given a brutal taste of the open internet before they've even had time to patch.

Re:It is largely humans these days

What *ARE* you talking aobut?

The human element is very real, but put an unprotected Windows box on the Internet and you can expect it to be infected in roughly five minute. The "human" part takes more work, and the automated scans and attacks are so endemic that they're like the flu in grade school. It's *everywhere* and you will be exposed.

The fun is when someone says "oh, if we have someone inside our network, we have much bigger problems" and refuse as a matter of policy to use secure protocols, to avoid sending passwords in plain text, to protect their backups, to restrict network access from other parts of the network that don't need it, etc. Then one infected laptop shows up infesting the entire infrastructure, and *BAM*. They're screwed top to bottum, front to back, and all the jiggly bits in the middle. That's a "human" problem.

Re:It is largely humans these days

put an unprotected Windows box on the Internet and you can expect it to be infected in roughly five minute.

I know you're just trying to toe the line of slashdot groupthink but this hasn't been true for more than a decade and to continue to repeat this trope just makes you look like an ignorant dinosaur.

Re:It is largely humans these days

[phantomfive]

And let's be honest, back in 2002, Microsoft wasn't even trying. Their OS was essentially an open door. Remember Nimda and Code Red?

I challenge the "courageous" (not) downmodder

To validly disprove (with computing tech) my points on hosts files - which, I KNOW, can't be done: Hence their cowardly reprehensible "hit & run" downmod of my post, but yet not being able to disprove my points.

* :)

(That's really ALL I need to see/know... it tells me my points are invulnerable & they are - Truth, always is!)

APK

P.S.=> I also think it's VERY FUNNY they think their effete impotent "downmods" will "hide" my post - the fool doing the "hit & run" downmod apparently doesn't realize that MOST folks here browse well below the default "moderation threshold" (which is easily sockpuppet cheated, or by logging out of your account after downmodding others, then trolling by ac instead afterwards - talk about "Busted Code" - figures though: Look @ the TYPE of "men" (using that term loosely) who designed it: Nerd weasels who act like women (and downmod others unjustly as is thecase here), who aren't even GOOD @ design for Pete's sake... lol, about as good @ programming as Mr. Vixie's shown himself to be, what-with his EASILY redirect poisoned & fastflux botnet abused DNS system...!)

... apk

Serious comments, please post to queue

[davecb]

http://queue.acm.org/detail.cfm?id=2578510

Complaints about beta go here (;-))

Adblock = "souled-out' + Inferior

Hosts do more w/ less (1 file) @ a faster level (ring 0) vs redundant browser addons (slowing up slower ring 3 browsers) via filtering 4 the IP stack (coded in C, loads w/ OS, & 1st net resolver queried w\ 45++ yrs.of optimization):

---

APK Hosts File Engine 9.0++ 32/64-bit:

http://start64.com/index.php?o...

(Details of hosts' benefits enumerated in link)

Summary:

---

A. ) Hosts do more than AdBlock ("souled-out" 2 Google/Crippled by default) + Ghostery (Advertiser owned) - "Fox guards henhouse", or Request Policy -> http://yro.slashdot.org/commen...

B. ) Hosts add reliability vs. downed or redirected DNS + secure vs. known malicious domains too -> http://tech.slashdot.org/comme... w/ less added "moving parts" complexity + room 4 breakdown,

C. ) Hosts files yield more speed (blocks ads & hardcodes fav sites - faster than remote DNS), security (vs. malicious domains serving mal-content + block spam/phish), reliability (vs. downed or Kaminsky redirect vulnerable DNS, 99% = unpatched vs. it & worst @ ISP level + weak vs FastFlux + DynDNS botnets), & anonymity (vs. dns request logs + DNSBL's).

---

* Addons are more complex + slowup browsers in message passing (use a few concurrently & see) - Addons slowdown SLOWER usermode browsers layering on MORE: I work w/ what you have in kernelmode, via hosts (A tightly integrated PART of the IP stack itself)

APK

P.S.=> Hosts files can also STOP THE REDIRECT TO /. "beta", easily, just as shown here -> http://tech.slashdot.org/comme... can "almsot all ads blocked" (lol)? Hell no - like I said, it's inferior & that is only 1 of roughly 18 areas I can PROVE it is... in addition to being 'souled-out' to admen/google

...apk

Re:Adblock = "souled-out' + Inferior

[geminidomino]

Unless you're on Android KitKat, of course. Apparently, it ignores /etc/hosts completely now.

Re:Adblock = "souled-out' + Inferior

Errr...just how does this relate to /. beta? Show us how this is a beta killer.

Re:Adblock = "souled-out' + Inferior

they're afraid of apk (they minus mod him but can't prove him wrong).

Welll...

Yes, but fuck beta?

Re:Welll...

indeed.

Paul 'RFC' Vixie?

[Mister+Liberty]

Here's a comment, requested or not: Fuck Beta.

Dumb systems can't be hacked

[Karmashock]

Complexity is a vulnerability. Simplicity is a strength.

If something is just too simple to be modified or hacked or manipulated by anyone including the rightful owners then its too simple to be perverted by a hostile agent. Simplicity is frequently a virtue.

Re:Dumb systems can't be hacked

speaking of dumb systems...fuck the beta.

Re:Dumb systems can't be hacked

Yes, agreed. I think we would rather have simple slashdot just as it is rather than the fuck beta.

Re:Dumb systems can't be hacked

It's yours. You can have it again, easily, stopping the redirect http://tech.slashdot.org/comme...

Re:Dumb systems can't be hacked

[skids]

Don't make wide generilised sweeping statements as they are most often wrong. For example, properly implemented SAV would be complexity, yet also a strength.

Re:Dumb systems can't be hacked

[Karmashock]

Wrong. It isn't impossible to hack it. And therefore it will be hacked.

Systems too simple to be hacked can't be hacked. They are secure. Everything else is second class.

People need to stop cutting security corners. This chicken shit security no longer an option.

Perfect security is possible. It requires sacrifice. You need to limit complexity. You need to limit what can and cannot be done. Do that and you leave little wiggle room for hackers to exploit. Anything short of that and you're better that you are smarter then the hacker. Which is hubris.

Re:Dumb systems can't be hacked

You are clearly not a hacker. If it exists, it can be hacked. Perfect security is impossible. Your door can have as many locks on it as you want. If I want to enter your house, I will smash the window and enter. If you are armed to the teeth with as many weapons as you choose, I will stalk you and kill you with a sniper rifle, then enter you house and do whatever I want.

In reality, what you need is to layer security and monitor it actively. You will not stop a persistent threat, but you may be able to discover the break and shut it down before too much damage is done.

Re:Dumb systems can't be hacked

[Karmashock]

Wrong. Hackers hack by exploiting flexibility in a system to be multiple things. If a given system is so simple it can LITERALLY only work one way then it cannot be hacked.

Effectively you have to make things that are non-programmable. Or that have their programming hardwired/hardcoded. No flexibility.

You set them up once to do a job and then leave them alone. Core systems can be set up this way and should be set up this way. They cannot get viruses. They cannot get taken over. They are what they are... end of story.

It is entirely possible to set things up that way. It simply requires pre-planning and ruthless adherence to standards.

Re:Dumb systems can't be hacked

[skids]

I have to agree with PP in that perfect security is possible. Proveably so. You can try to hedge around this fact with sophomoric arguments that show that it is possible to use a perfectly secure system in an insecure manner. That it an excercise in semantics since exhibiting the insecurity requires abusing the system. In order to define security you have to define what it is you are attempting to be secure against. A door with a deadbolt on the inside, when locked, is perfectly secure against lockpick attacks for example. Trying to use it to defend against people with chainsaws and blowtorches, however, is abusing that particular security system.

However the PP seems to think security is directly proportional to the simplicity of a system. It is also possible in more complex systems, and in fact, there are simple insecure systems that can be made perfectly secure by making them more complex. Witness strnlen.

Re:Dumb systems can't be hacked

Anything "too simple to be hacked" can still be broken, or appropriated and used for another purpose (which I would say is hacking).

Re:Dumb systems can't be hacked

[Karmashock]

Forgive me for oversimplifying my argument. My point stands that perfect security is possible and for backbone systems it should be required.

Re:Dumb systems can't be hacked

[Karmashock]

How do you hack a network hub? The hub, not the router.... and I say hub instead of switch because hubs are even more simplistic then switches.

A basic hub is unhackable. It does what it does.

YOU DON'T HEAR US

Fuck Beta.

You have ignored the desires of this community to push your own agenda. You merely want us to believe you care, nothing more.

Not Just Bad Guys

[Jane+Q.+Public]

"Bad guys have the time, skills, and motivation to study edge devices for weaknesses..."

But you know, it's funny... I would have thought the giant corporations that are behind manufacturing these devices (and in many cases the software for them) have just as much skill to look at these things from the other end.

Apparently what they have lacked is the motivation to do so. That should change.

Add them yourself

It's easy enough to do. The principle is what matters & the 1st line shows you it (I changed beta.slashdot.org to the IP address of slashdot.org - so, that said? Just take the subdomains noted & put their "classic site" analog IP addresses to them, & those 'classic models'' are listed in MY list already (for protection vs. DNS redirect mostly, but also for speed of resolution locally vs. remote DNS lag in comparison)

APK

P.S.=> Enjoy - however, it's ONLY "forestalling the inevitable" imo: The "money men" are in control here, not the former owners, or the editors (who are only 'championing' the 'beta' to hold onto their jobs - sad, but true & that IS life @ times)!

Hey, for me? Well - This place has served its purpose for me (which lately, has only to "turn folks on" to hosts & my program, since I know this place is going downhill + has been since the troll population & bogus sockpuppet or logout of your account after issuing a downmod + troll by ac afterwards population here got SO out-of-control - I only use it as a FORUMS for "Spreading the GOOD word" of my app & what it can do for users, gratis, in more speed, security, reliability, & anonymity...).

S so, after 10++ yrs. of hanging around here? I may just have to find another site since they DEMAND javascript (the root of all evil online basically in malcode that exists online on sites) - FOR TRACKING - "f" THAT!

... apk

I'm sorry, what?

[whoever57]

DNS is an example of a UDP (User Datagram Protocol),

DNS can use UDP, yes, but it can also use TCP, so as an example of "a UDP", it is quite poor.

Re:I'm sorry, what?

[RabidReindeer]

DNS is an example of a UDP (User Datagram Protocol),

DNS can use UDP, yes, but it can also use TCP, so as an example of "a UDP", it is quite poor.

He was talking about DNS reflection attacks, which is done via the primary DNS protocol, which is UDP-based. The attacker puts the victim's IP address in the source IP portion of the packet and requests a large quantity of information so that the DNS server will send it to the victim. Scale this up for DDOS on the victim. Since the attack is UDP-based, there's no requirement for the sender's IP to match the packet's sender ID.

I spent a lot of time last summer fending off that stuff, since my older machines didn't have suitable throttling capabilities, and in fact, finally had to move DNS to newer hardware because while my hardware had the power, there wasn't any suitable software to enforce it.

The one thing that puzzled me at the time was the choice of victims, since they weren't the expected big name targets. After recently hearing how GCHQ has been DDOS'ing political targets, I've been wondering, though.

Re:I'm sorry, what?

[sjames]

That actually could be solved with proper router configuration. For example, don't route traffic sourced from a router that has no route back to the source address. Case by case exceptions if well justified by the source.

Re:I'm sorry, what?

[RabidReindeer]

That actually could be solved with proper router configuration. For example, don't route traffic sourced from a router that has no route back to the source address. Case by case exceptions if well justified by the source.

Who says there's no route back? The route back is merely bogus.

If you mean that the response address doesn't match the source address, well, it wouldn't the minute it made its first hop. Which means that every router in the world would have to be 100% trustworthy.

Re:I'm sorry, what?

[sjames]

Getting a route announced is more difficult than spoofing a source address. Also, if you manage to convince the routers between the multiplying DNS server and you that there IS a route back, you will get the flood, not your victim.

Note that MOST providers already discard spoofed source packets from their customers.

Re:I'm sorry, what?

[RabidReindeer]

Getting a route announced is more difficult than spoofing a source address. Also, if you manage to convince the routers between the multiplying DNS server and you that there IS a route back, you will get the flood, not your victim.

Note that MOST providers already discard spoofed source packets from their customers.

Unfortunately, as my logs amply demonstrated, on a network the size of the Internet, "most" isn't nearly enough. And if the "provider" was a military or rogue ISP installation, they would likely be part of the attack.

Re:I'm sorry, what?

[sjames]

They still likely have an upstream or a transit provider. It gets more complicated at major peering points to decide who should be sending packets for what range, but it's not impossible even there.

As I said, MOST ISPs are conscientious about that, but certainly not all (or this problem wouldn't exist). It may be time to step up the game and deal with the few exceptions.

Agreed 110% & Einstein in my 'p.s.' here

Said it best (I merely listened & applied that idea) -> http://tech.slashdot.org/comme...

* :)

(Especially since it actually WORKS for better online speed, security, reliablity, & even added anonymity (vs. DNS request logs OR DNSBLs)

APK

P.S.=> Hosts ARE a simple design, & easily managed manually even (unless large, & that's where my app takes over) - plus, they "shore up" faults in DNS (redirect poisoning &/or FastFlux botnets that abuse it like mad (& they ARE becoming the prevalent design in botnets, fast - big threat: Almost as big as javascript itself... stupid, stupid, stupid! It's like they IGNORED what happened to MS & Adobe with scriptable documents, & the same is happening online because of it... CGI Bins/Win CGI was a SAFER model by far, in a TRUE "client-server" design where the server DOES THE PROCESSING WORK, not the client!)... apk

Paul Vixie prefers Slashdot Beta

Ever since he became a Dice shareholder, that is. But does he know that Dice assigns zero value to Slashdot?

Re: Paul Vixie prefers Slashdot Beta

Of course he does. It gives him everyone's email. So, Paul, what did mine say?

(At the bottom of Beta, the Fortune is currently "You had mail. Paul read it, so ask him what it said." I think that refers to Vixie.)

A different view.

[hackus]

"they need to inject malicious code into our precious devices where they can then copy our data, modify our installed software, spy on us, and steal our identities."

Not on my networks, which comprise about 1 million people at the moment.

All of our infrastructure is open source and we don't have those issues. Been opeperating a standatf 3.x kernel on 25 routers with millions of people accessing them, along with the server software, also LINUX based running Apache, Tomcat Servlets, and PostGRES...OpenLDAP and TLS for the internal key management infrastructure.

so I don't see a problem with the internet as designed, works very well. It doesn't need change.

You are trying to change the internet for your own malicious purposes, in my opinion, than actually address the problem:

1) Internet security as far as functionality is concerned, works extremely well. I travel and I go to many places, and there has only been once in the past two years I couldn't access my VPN server due to a real internet outage. I say outage because the local admin at your so called "smart edge" made a few bad investment decisions, proprietary gear bankrolled with back doors.

2) Most of the problems you do see with sites, internet infrastructure is entirely not related to the internet as designed per se, but a frustration with governments who don't like what the internet is doing. That is, an obstruction to their spheres of power and political and industrial espionage which they require to gain an edge to stay in power.

The internet has a nasty habit of revealing the connections of two sets of laws that normally can't be seen by the plebs: That is the ones that say you have to spend 5 years in prison for 1 ounce of pot, complete with a criminal record so you will never be hired again vs. If you're say a Banker, and rob whole countries you get a pay raise and pat on the back or send you send the plebs to thier doom. For example, when the French found they couldn't get any of their gold back from the Fed they invaded Mali to stabilize their banks.

So I don't see any problems with the internet.

I do see a problem with governments and the internet coexisting together though, but that is not a technology problem.

As I see it, one or the other has to go and so far the internet is fighting a losing battle.

Re:A different view.

[hackus]

Backdoors in this case of the edge network for this administrator are well know.

http://gigaom.com/2013/12/29/n...

Governments don't like the internet. They want it changed.

http://www.zdnet.com/surprise-...

So far one man, worth millions, with a great future ahead of him "decided to hang himself" over that same legislation.

http://www.globalresearch.ca/i...

People are seeing the connections through whistle blowers and alternative media.

http://www.infowars.com/hillar...
http://www.theguardian.com/wor...

French Invade Mali after Fed refusal of Gold...

I am sure it is JUST a cooincidence Gold is the only major export of MALI:

http://www.silverdoctors.com/j...

Troll.

So be it.

Sure, & easily (via hosts edit)

http://tech.slashdot.org/comme...

* :)

It'll allow you to access CLASSIC slashdot for as long as it exists on the server/IP noted, stopping the redirect...

APK

P.S.=> I only got redirected to it once, hasn't happened since because of hosts overriding I do - I couldn't stand the beta since it DEMANDS javascript to particpate here (that, is going to KILL this site if they keep it up - since everyone KNOWS that javascript is TRULY, the "root of all evil" online as a scripting language in in document for Pete's sake, in trackers, malicious script, etc. - they didn't LEARN by the Adobe & MS example in macros apparently. CGI bin &/or Win CGI was a SAFER model to do the same, all server-side like a GOOD "client-server" design model where work is done server side, & no business logic in the front-end OR processing CPU cycles excessively eaten by clientside PC processing either)... apk

Slashdot beta is not ready

"it's not ready" as you say, so can we please stop use it until it is ready?

PLEASE stop redirect us to this not ready thing
PLEASE let users themselves choose if they want to betatest this not ready thing.

It's improved a bit

Well it seems to have improved a bit since I last tried it.

Pity it takes so much vertical room that I have to scroll a lot of see comments. Still work to do. So I don't think its going away anytime soon.

Also why do we still have 'load more' on a desktop system in this day and age?

And the serif fonts, I know they're supposed to be more readable but they seem strangely irritating.

serif fonts is not readble on screen

serif fonts is never more readable on screen, and you should at least have 300dpi before you use seriffed fonts.
(as always on the web, prettify headings etc if you like, but whatever you do in the CSS, never change the normal text font.)

Let's hope dice stop forcing all of us to suffer this horrible beta madness now. they got their feedback, all the feedback they ever gonna get... why make the pain longer?

Beat redirect to "beta", easily

http://tech.slashdot.org/comme...

* :)

(Enjoy!)

APK

P.S.=> Via a SIMPLE easily done hosts file edit, you control THEM, not the other way around... apk

Re:Beat redirect to "beta", easily

yeah, but didn't they *make* you edit it?

fuk the beta

[ppff]

Can you just f** remove it for us ? I think that most people hate it.

Core is stupid

[RandomUsername99]

"the Internet core is stupid, and the edge is smart"

That is true on SO many levels.

Slashcott 10-17 February

Let's punch them where it hurts. FUCK BETA

So

[segin]

Very true.

Beta sucks ballz

make it go away

wut?

You must be some sort of a Markov chain.

wrong title

Perhaps
Paul Vixie on measures to prevent the Internet's architecture from assisting Dos attackers.
  (It will still be dumb core, smart(er) edge after the changes.)

Re:SMS

[danknight]

AFIK SMS was a testing mode, rides along the signal path anyway, essentially free to implement, Yet they monitized the crap out of it.