That list would be too large for most system. Every time a new connection is attempted, your system would need to check that list. To give you an idea what is being talked about, DDOS can be millions of IP addresses and firewall rules are in the thousands for large lists. The list would increase processing overhead enough to create a new bottleneck.
The type of attack you're talking about is an asymmetric attack where the attacker can cause high load with a relatively few connections, which is why you "deprioritize" or reject "suspect" clients. But there are DDOS attacks that a symmetric attacks. Your best case is you will use as much resources as the attacker, primarily bandwidth, but the attack has a botnet of millions of computers. You just can't compete.
The only way to stop traffic coming from another network is for your to stop announcing your route, which means cutting yourself off from the Internet.
A single customer calling in costs an ISP about $1 per minute on average. If another network calls in and provides a list of 10,000 customers to disconnect, that can quickly turn into $100k cost to the ISP. No ISP will agree to that. So do you make the other network foot the bill? Well, that bill will probably cost more than just getting DDOS protection.
There is no easy way to disconnect users. Just wait until ISPs get fed up with getting sent large lists of IP addresses and instead of manually entering the data in, they stream line the process to be entirely automated, and some script kiddies figure out how to abuse this system.
To be good at something that involves any amount of thought requires creativity, you can't "train" someone to be creative. If you're looking to train people to be crackers, then you must have a methodology, which means the process can be automated. Just get rid of the humans and get someone good to automate the process of "cracking".
We should also focus on fixing ISPs that allow spoofed egress traffic and find a way to handle malware. But we should also include standardization of a way to distribute bandwidth around the globe for smaller companies that can't. Instead of a small company having a single relatively slow Internet connection that acts as a chokepoint for DDOS attacks, have a global network of anycast nodes that distribute authentication around the globe and tunnel authenticated traffic back to the company.
Not all traffic can be authenticated, like DNS or NTP, but plenty of other services can be, like gaming services and websites where you need to "log in".
If you can't stop a DDOS before your edge, then you need more bandwidth at your edge. The easiest way to get cheap bandwidth for your edge is instead of paying someone to bring bandwidth to your edge, you bring your edge to the bandwidth, then filter and send scrubbed traffic back to your network.
I've been programming 10 years, and nearly every program starts off with a lot of design, which involves a lot of drawing dataflows. Whiteboards are very quick ways to draw up designs. Much quicker than diagramming software for certain types of brainstorming and infinitely more cooperative. Most of the overall design is done in the mind, but the whiteboard lets you express your thoughts as basic visuals, which is great at showing the shortcomings of the limitations of short term memory.
Imagine a classroom without any form of visual learning, no chalk boards, whiteboards, projectors, etc. Same difference. Some things are best conveyed visually than only in thought to yourself or verbally to others.
If you've made it this long without, maybe you process data differently, don't have the same limitations of short term memory as most humans, or maybe you just don't realize your own shortcomings and assume it's good enough. Whatever the reason, don't fix what seems to work. To each their own.
I can sing songs in my head and they sound great, but once they make it to the real world, they can sound like crap. Initial work starts in the head, but whiteboards are for the phase between thought and coding.
I have an 8' and a few smaller whiteboards at work. All mine! Personal whiteboards could cause issues in such open designs or they just because the new "walls".
We're not talking about "every little" web site, we're talking about the 2 biggest gaming networks in the world.
Your NTP is a bad example because the issues being discussed focuses on stateful connections that require authentication and authorization, both of which can be done at the edge. Once a connection is authenticated and authorized, then its traffic may make its way back to the datacenter. Even UDP connections could be considered "stateful" in the sense that the proxy/firewall may not allow your traffic to pass until you've authenticated, then the firewall could allow your IP to create a new state/connection.
I think the largest DDOS was around 600gb/s, which is about $36k/month of bandwidth from your local IX.
1) Buy up terabits of bandwidth around the world at prices as low as $0.06/mbit at an IX
2) Filter data at the edge
3) Forward filtered data back to your non-general-Internet-routable datacenter.
You just need to move your edge to where bandwidth is plentiful and cheap and do all of your filtering there.
The was anti-DDOS services work is quite simple. Instead of having a single network connection, say a 100gb link in the USA, you instead have many many 100gb+ links at the many Internet Exchanges around the world. At each IX, you have a bunch of proxy/firewall servers that filter the data, then send the "clean" data back to your 100gb link back in the USA.
You scrub the data first where bandwidth is crazy cheap. You can purchase 100gb/100gb for $6k/month at many IXs.
The second part to this is you need to stop broadcasting your main links BGP on the open Internet, and only over pre-determined routes. This way no one can send data directly to your datacenter.
Nutshell: Spread your Proxies/Firewalls around the world and use AnyCast, scrub the traffic, forward clean data to datacenter, make sure datacenter is not publicly routable.
if I pointed out 5 years ago that the NSA might be recording all communications
Since world wide harddrive storage being created is about 40 exabytes per year and the Internet has about 50 exabytes of traffic per month, I would still say you're crazy to think that all traffic is recorded. They have to be filtering out a decent amount of it. According to the NSA, how ever much you can trust this, they only inspect about 1.5% of all traffic, of which storage is only a subset. So they're not recording anywhere near "all" traffic.
Maybe we need to start padding stuff like SSH sessions to increase bandwidth usage to consume "idle" bandwidth. I'm not sure how one would implement this, but it would dramatically increase how much data needs to be stored.
Being "social" is all about interacting. If you don't interact, you're not social and may as well not be a human. Until humans figure out a way to reproduce asexually, we'll need to interact. Even asexual organisms are still social because there is safety in numbers. I guess what I'm saying is that what others are doing is logical, you're the illogical one. Don't be so eager to pass judgement.
With current understanding of handshakes, having access to controlling the hand shake gains you nothing. Both ends can still detect something is wrong. The only real way to MITM is to have access to the certs, magical computers, or knowledge of a flaw/bug in the protocol or implementation.
Other country's laws. People don't realize it in the US that Thailand's lese majeste laws apply here? Well, they do, and an American can get shipped over there for breaking them, due to extradition treaties.
Extradition almost exclusively applies to to laws in other countries that would be also be considered criminal in the USA. Kill someone in Thailand, well murder is criminal in the USA, so they'll extradite you. Slander someone, well, that's not criminal in the USA, so you're safe. The USA also will not extradite if they think the punishment may be considered "extreme".
I wonder what they mean by "GPA". There is a strong correlation between smart people and doing poorly in studies outside of what they're good at or becoming bored due to too easy of classes.
An architect that does not know how to implement is a bad architect and a programmer that does not understand the architect is a bad programmer. Implementation trivia is extremely important to the proper implementation of a system.
The implementation drives the architecture and the architecture drives the implementation. The best system meets in the middle.
quote:
Sometimes what the hackers do is called "software engineering," but this term is just as misleading. Good software designers are no more engineers than architects are. The border between architecture and engineering is not sharply defined, but it's there. It falls between what and how: architects decide what to do, and engineers figure out how to do it.
What and how should not be kept too separate. You're asking for trouble if you try to decide what to do without understanding how to do it. But hacking can certainly be more than just deciding how to implement some spec. At its best, it's creating the spec-- though it turns out the best way to do that is to implement it.
I knew quite a few people who designed and wrote code that was easy to read, worked, easily maintained, got it all done on time and were considered mediocre.
That would be above average in my book. To me, an "excellent" programmer would not only do that, but also not be wasteful with resources, and would analyze the problem themselves and architect the program their-self.
Slashdot Mirror
That list would be too large for most system. Every time a new connection is attempted, your system would need to check that list. To give you an idea what is being talked about, DDOS can be millions of IP addresses and firewall rules are in the thousands for large lists. The list would increase processing overhead enough to create a new bottleneck.
The type of attack you're talking about is an asymmetric attack where the attacker can cause high load with a relatively few connections, which is why you "deprioritize" or reject "suspect" clients. But there are DDOS attacks that a symmetric attacks. Your best case is you will use as much resources as the attacker, primarily bandwidth, but the attack has a botnet of millions of computers. You just can't compete.
The only way to stop traffic coming from another network is for your to stop announcing your route, which means cutting yourself off from the Internet.
Upstream providers can cut off offending ISPs trivially.
Not if it causes a breach of contract. Then the upstream can get sued for all losses.
A single customer calling in costs an ISP about $1 per minute on average. If another network calls in and provides a list of 10,000 customers to disconnect, that can quickly turn into $100k cost to the ISP. No ISP will agree to that. So do you make the other network foot the bill? Well, that bill will probably cost more than just getting DDOS protection.
There is no easy way to disconnect users. Just wait until ISPs get fed up with getting sent large lists of IP addresses and instead of manually entering the data in, they stream line the process to be entirely automated, and some script kiddies figure out how to abuse this system.
To be good at something that involves any amount of thought requires creativity, you can't "train" someone to be creative. If you're looking to train people to be crackers, then you must have a methodology, which means the process can be automated. Just get rid of the humans and get someone good to automate the process of "cracking".
We should also focus on fixing ISPs that allow spoofed egress traffic and find a way to handle malware. But we should also include standardization of a way to distribute bandwidth around the globe for smaller companies that can't. Instead of a small company having a single relatively slow Internet connection that acts as a chokepoint for DDOS attacks, have a global network of anycast nodes that distribute authentication around the globe and tunnel authenticated traffic back to the company.
Not all traffic can be authenticated, like DNS or NTP, but plenty of other services can be, like gaming services and websites where you need to "log in".
If you can't stop a DDOS before your edge, then you need more bandwidth at your edge. The easiest way to get cheap bandwidth for your edge is instead of paying someone to bring bandwidth to your edge, you bring your edge to the bandwidth, then filter and send scrubbed traffic back to your network.
I've been programming 10 years, and nearly every program starts off with a lot of design, which involves a lot of drawing dataflows. Whiteboards are very quick ways to draw up designs. Much quicker than diagramming software for certain types of brainstorming and infinitely more cooperative. Most of the overall design is done in the mind, but the whiteboard lets you express your thoughts as basic visuals, which is great at showing the shortcomings of the limitations of short term memory.
Imagine a classroom without any form of visual learning, no chalk boards, whiteboards, projectors, etc. Same difference. Some things are best conveyed visually than only in thought to yourself or verbally to others.
If you've made it this long without, maybe you process data differently, don't have the same limitations of short term memory as most humans, or maybe you just don't realize your own shortcomings and assume it's good enough. Whatever the reason, don't fix what seems to work. To each their own.
I can sing songs in my head and they sound great, but once they make it to the real world, they can sound like crap. Initial work starts in the head, but whiteboards are for the phase between thought and coding.
I have an 8' and a few smaller whiteboards at work. All mine! Personal whiteboards could cause issues in such open designs or they just because the new "walls".
I tried to google Open Office layouts, and they don't look too friendly to lots of whiteboards. How can anyone program without a bunch of whiteboards?
We're not talking about "every little" web site, we're talking about the 2 biggest gaming networks in the world.
Your NTP is a bad example because the issues being discussed focuses on stateful connections that require authentication and authorization, both of which can be done at the edge. Once a connection is authenticated and authorized, then its traffic may make its way back to the datacenter. Even UDP connections could be considered "stateful" in the sense that the proxy/firewall may not allow your traffic to pass until you've authenticated, then the firewall could allow your IP to create a new state/connection.
I think the largest DDOS was around 600gb/s, which is about $36k/month of bandwidth from your local IX.
1) Buy up terabits of bandwidth around the world at prices as low as $0.06/mbit at an IX
2) Filter data at the edge
3) Forward filtered data back to your non-general-Internet-routable datacenter.
You just need to move your edge to where bandwidth is plentiful and cheap and do all of your filtering there.
I couldn't go outside because someone set off a nuclear bomb and it's a wasteland. Maybe I should have had more hobbies.
The was anti-DDOS services work is quite simple. Instead of having a single network connection, say a 100gb link in the USA, you instead have many many 100gb+ links at the many Internet Exchanges around the world. At each IX, you have a bunch of proxy/firewall servers that filter the data, then send the "clean" data back to your 100gb link back in the USA.
You scrub the data first where bandwidth is crazy cheap. You can purchase 100gb/100gb for $6k/month at many IXs.
The second part to this is you need to stop broadcasting your main links BGP on the open Internet, and only over pre-determined routes. This way no one can send data directly to your datacenter.
Nutshell: Spread your Proxies/Firewalls around the world and use AnyCast, scrub the traffic, forward clean data to datacenter, make sure datacenter is not publicly routable.
if I pointed out 5 years ago that the NSA might be recording all communications
Since world wide harddrive storage being created is about 40 exabytes per year and the Internet has about 50 exabytes of traffic per month, I would still say you're crazy to think that all traffic is recorded. They have to be filtering out a decent amount of it. According to the NSA, how ever much you can trust this, they only inspect about 1.5% of all traffic, of which storage is only a subset. So they're not recording anywhere near "all" traffic.
Maybe we need to start padding stuff like SSH sessions to increase bandwidth usage to consume "idle" bandwidth. I'm not sure how one would implement this, but it would dramatically increase how much data needs to be stored.
Being "social" is all about interacting. If you don't interact, you're not social and may as well not be a human. Until humans figure out a way to reproduce asexually, we'll need to interact. Even asexual organisms are still social because there is safety in numbers. I guess what I'm saying is that what others are doing is logical, you're the illogical one. Don't be so eager to pass judgement.
Nope, you're at more risk because of the common password changes. I think it's 3-6 months. Should be using 2 factor.
So, for IPSEC, they break into the router, rather than the tunnel itself. Can they break into a properly secured Linux (or *BSD) box
So they can "break" IPSEC by compromising the end nodes? Isn't that like saying "We can break into your house if we can get inside of it"?
With current understanding of handshakes, having access to controlling the hand shake gains you nothing. Both ends can still detect something is wrong. The only real way to MITM is to have access to the certs, magical computers, or knowledge of a flaw/bug in the protocol or implementation.
Other country's laws. People don't realize it in the US that Thailand's lese majeste laws apply here? Well, they do, and an American can get shipped over there for breaking them, due to extradition treaties.
Extradition almost exclusively applies to to laws in other countries that would be also be considered criminal in the USA. Kill someone in Thailand, well murder is criminal in the USA, so they'll extradite you. Slander someone, well, that's not criminal in the USA, so you're safe. The USA also will not extradite if they think the punishment may be considered "extreme".
I wonder what they mean by "GPA". There is a strong correlation between smart people and doing poorly in studies outside of what they're good at or becoming bored due to too easy of classes.
IPv6+IPSEC will prevent seeing which ports you're using.
They won't be taking your job, they'll be taking a job that you couldn't do.
implementation trivia is not one of your concerns
An architect that does not know how to implement is a bad architect and a programmer that does not understand the architect is a bad programmer. Implementation trivia is extremely important to the proper implementation of a system.
The implementation drives the architecture and the architecture drives the implementation. The best system meets in the middle.
quote:
Sometimes what the hackers do is called "software engineering," but this term is just as misleading. Good software designers are no more engineers than architects are. The border between architecture and engineering is not sharply defined, but it's there. It falls between what and how: architects decide what to do, and engineers figure out how to do it.
What and how should not be kept too separate. You're asking for trouble if you try to decide what to do without understanding how to do it. But hacking can certainly be more than just deciding how to implement some spec. At its best, it's creating the spec-- though it turns out the best way to do that is to implement it.
I knew quite a few people who designed and wrote code that was easy to read, worked, easily maintained, got it all done on time and were considered mediocre.
That would be above average in my book. To me, an "excellent" programmer would not only do that, but also not be wasteful with resources, and would analyze the problem themselves and architect the program their-self.