Slashdot Mirror


User: Alex+Belits

Alex+Belits's activity in the archive.

Stories
0
Comments
6,525
First seen
Last seen
Profile
(view on slashdot.org)

Comments · 6,525

  1. Re:Long on Rhetoric on Firewalls Make DDoS Attacks Worse · · Score: 1

    Either way, you have demonstrated that you have enough knowledge to be dangerous and a personality that multiplies that danger many times. I hope you are unemployed and living in your mother's basement, because if someone pays for your ego without accuracy, they'll have misplaced confidence in your useless drivel.

    I have knowledge and understanding of network protocols, and system design. What you have demonstrated so far, amounts to a set of random ridiculous claims from marketing brochures.

  2. Re:Long on Rhetoric on Firewalls Make DDoS Attacks Worse · · Score: 1

    My password isn't on anything I administer.

    Of course, it is -- you enter it yourself! If the host is compromised, it is enough for an intruder that you will eventually try to authenticate against it -- with a password, key or anything else.

  3. Re:Long on Rhetoric on Firewalls Make DDoS Attacks Worse · · Score: 1

    That's simply false. Something that's designed to handle attacks will have modifications over "standard" servers (even hardened ones) such as more memory dedicated to storing the flows.

    I don't know what is "flow" that can be "stored", but the whole problem of DDoS is that handling of connections requires sufficient amount resources to exceed the performance of a server. If firewall handles state, it has to have as much resources as a server, just to avoid becoming a bottleneck by itself. If it "stores" (proxies, forwards, buffers) anything, the amount of memory and available performance it should have, would provide higher throughput and DDoS tolerance if they simply were added to the server.

    That you are apparently too stupid to understand this doesn't make it untrue.

    Yes, I am indeed too stupid to realize that firewalls are magic and somehow can have network stack features that can not possibly be implemented on a servers that have exactly the same hardware and running exactly the same operating system. I am also too stupid to understand that second-guessing a server by observing its traffic is somehow more reliable than making a server parse the same data correctly in the first place.

    Thankfully, the people that design firewalls can think past your obvious limitations and design something that works, rather than purposefully designing firewalls that are useless and relying on incompetent managers to stay in business.

    Same was claimed by each and every snake oil salesman.

  4. This is how it was invented: on US Gov't Pushing News Through China's Great Firewall · · Score: 1

    Some American official: I know what to do -- we should SPAM them with propaganda!

  5. Re:Microsoft astroturfers out in force on Google's Search Copying Accusation Called 'Silly' · · Score: 1

    No.

  6. Re:Not enough on UK File-Sharing Lawyers ACS:Law Shut Up Shop Ahead of Court · · Score: 1

    And I thought, my proposal to turn Microsoft employees into a river of blood flowing between hills made of crushed bones, topped by skulls of Gates and Ballmer, was extreme.

  7. Re:Long on Rhetoric on Firewalls Make DDoS Attacks Worse · · Score: 1

    All servers will be stateful, by definition of TCP. Thus, a properly configured firewall in front of it will always be better than it open to the Internet, hardened or not.

    This is completely illogical. If firewall protects against something that is in any way related to the stateful nature of TCP, then firewall is also stateful, and is subject to the same resource starvation a server would have.

  8. Re:Long on Rhetoric on Firewalls Make DDoS Attacks Worse · · Score: 1

    You are talking about a DDoS or a target vulnerability attack interchangeably depending on what makes you look smarter and the other guy dumber

    No, I don't. I have never mentioned "target vulnerability" of any kind because it's a stupid idea to use firewall to block specific sophisticated attacks that exploit a known vulnerability -- if it is so obvious that can be recognized by a firewall, it can be easier prevented by a host it is trying to "protect". There are two reasons for having such functionality in a firewall:

    1. Server software being so abysmally insecure, a dumb proxy grepping through packets for malformed or excessively large requests can prevent exploits better than waiting for a fix from the vendor of software that actually parses that stuff.

    2. The scope of legitimate "security" software functionality is being completely covered already by absolutely everyone, so the only way to distinguish themselves for a firewall vendor is to add an illegitimate one. Then, of course, when such firewall becomes a bottleneck, it has to drop such functionality, but it can just as well keep it off after "attack" is over.

    If I have a webserver with no sensitive data on it, I want the firewall to provide uptime, not security. As such, the features he is describing are optimal.

    First of all, there is no such thing as "no sensitive data" on something. Even if the server is entirely read-only, the password YOU enter when you log in while trying to administer it, is "sensitive data" because it gives someone the ability to write things and pretend they are yours. With ridiculously widespread practice of having single authentication for absolutely every service, it likely allows a successful intruder to get access to your VPN (lovingly protected by more "security products"), mail, and possibly get write access to internal data (using that VPN).

    The solution, of course, is not to do such things, and if you indeed need a server with no external write access, there are plenty of simple web server configurations that would perform this function perfectly -- and all of them are simpler than a firewall itself. If you are indeed concerned about uptime, you should care about eliminating single points of failure -- single web server, firewall, even router, because hardware failures should be more likely to cause problems than any kind of attack -- except, of course, DDoS because of its ability to potentially eat unlimited amount of resources by doing nothing but "legitimate" requests.

    However, as you point out (in the least useful and most off-topic manner), when fighting a targeted attack, such configuration could lead to a vulnerability.

    No, what I point out is that trying to add more and more "features" to a firewall can turn a firewall into something that is more likely to be successfully exploited than anything such firewall supposedly protects. The fact that such a thing is even possible, can tell us that we are very deep into the snake oil land already, and should get the fuck out before someone will try to sell us a firewall to protect a firewall.

    However, the question is not one of whether you are being attacked to cause a compromised network. It's about uptime in a DDoS. In that context, you are 100% wrong. And being quite the ass about it.

    A simple port blocker/DMZ forwarder has no effect on "uptime" (except for its own hardware failures and as long as cables that go to it are not unusually tasty for rats that live around it) and is just as resistant or vulnerable to DDoS as the server behind it. It is also sufficient to "protect" a web server with simple to moderately complex services running on it. For a complex service, you need a system of frontend and backend servers with clear security boundaries between them -- again, it's a matter of network and application design, and it does not involve complex second-guessing-the-server software running anywhere.

  9. Re:You are reading too much in a pattern on DreamPlug ARM Box Brings Power To Plug Computing · · Score: 1

    Except that it doesn't work that way. Sure, someone (mostly Microsoft marketing people) will complain about each and every device that does not run Windows and try to coerce everyone into turning everything into a Windows-based computer. But the results of stuffing Windows into anything other than commodity desktops/laptops were always disastrous, and Microsoft always claimed that THIS TIME they have a platform that users will love.

  10. Even better idea for Microsoft on Microsoft Vehemently Denies Google's "Bing Sting" · · Score: 1

    I have an even better idea!

    Microsoft should change their toolbar, so every time a user clicks on anything, toolbar also requests a page from Microsoft that contains a query sent to Bing by another user. Then this user's browser performs a search on Google, and sends the results to Microsoft, so it can return them to the user who requested it!

  11. Re:Long on Rhetoric on Firewalls Make DDoS Attacks Worse · · Score: 1

    Anti-spam functionality has nothing to do with a firewall, it is in a mail server that just happens to be bundled with a firewall, so user can run Microsoft Exchange. If someone tried to DDoS a mail server, he would succeed no mtter what anyway, by simply burying all legitimate email under mountains of spam. The best solution is to do the opposite, reject all email under high load and rely on legitimate servers re-sending it later. But web server or any other public-accessible server, has nothing to do with it unless it has to run mail on the same host (and then it can not be resistant to DDoS).

    Firewall is supposed to improve security, not to entertain the admins. If any of its functionality can be sometimes turned of, it means that either this functionality should be always off (and therefore is worthless in the first place) or the firewall has security hole in its design. Or it is designed to protect a system that is so insecure, blocking some things only fraction of the time would make successful intrusion less likely to happen (and then the firewall is the wrong way to improve security in the first place). Snake oil either way.

    "Handling wire speed" will not help if it has to create connections at "wire speed" and then divine which of them are "wrong". As I have explained before, DDoS is different from other kinds of attack by having all traffic originating in a perfectly legitimate manner, so firewall that second-guesses the server will end up spending more resources on it than the server would.

  12. Stalin? on Asus, Gigabyte To Replace All Sandy Bridge Boards · · Score: 1

    J. Dzhugashvili writes

    Oh, for fuck sake, stay dead!

  13. Re:Long on Rhetoric on Firewalls Make DDoS Attacks Worse · · Score: 1

    So if "deep packet inspection" actually was "protecting" against something, it can be defeated on those firewalls by increasing the amount of traffic? Snake oil truly rules the "security products" market now.

  14. Re:Long on Rhetoric on Firewalls Make DDoS Attacks Worse · · Score: 1

    So those "firewalls" drop their supposedly important security functionality when they experience increase of traffic, thus leaving dumb packet filtering functionality available on any modern router? So anyone who wants to exploit whatever vulnerabilities it "protects" against, just has to increase the amount of traffic to trigger this mode? That's a dumb router bundled with a useless security blanket, an example of security snake oil if I ever seen one.

    In reality public servers are more secure with no "deep packet inspection" being on ever (plus additionally they are not exposed to possible DoS and privilege escalation bugs that are, without any doubt, present in packet analysis code). That is, as long as those servers do not run Windows or some overcomplicated mess of exposed services that does not belong on a public server in the first place.

  15. Re:So... on The Hidden Reality Draws Ire From Physicists · · Score: 1

    While they did not know about helium until the late 1800s, they knew about hydrogen in the late 1700s, and they also knew about oxygen in the late 1700s too. If you suggested that it was possible to change one to the other, they'd say you were nuts, just like you couldn't turn lead into gold.

    For the purposes of a chemist in 1800, nothing that can be practically produced in a nuclear reaction had anything in common with any of elements he could recognize.

    I am sure, physicists in 1800 recognized that _something_ could have happened in the history of the Universe that resulted in various elements to be available on Earth in certain quantities (they had no method to analyze extraterrestrial objects' composition, spectroscopy became available much later). They did not expect atoms to be truly... atomic at that point, either. However they (correctly) determined that everything they could produce, did not convert anything they can identify as one element into something they can identify as another one.

    Alchemy did not become any less of a pseudoscience when it became clear that alpha particles are Helium -- there was nothing ever produced by alchemists that would suggest the possibility of nuclear reactions, their properties, or their distinction from chemical reactions. To be fair, there was nothing ever produced by alchemists that would clearly describe what a chemical reaction is in the first place -- their theories were a massive clusterfuck based entirely on fantasy and analogies, and the only useful things they ever accomplished were found randomly in experiments when they were expected something completely different. Claiming that they were "right" because elements can be converted into each other in processes that are completely unrelated to chemistry and involve manipulation of matter at the level that would not be possible to research before a bunch of completely new concepts will be discovered and studied, that they never in any way predicted or anticipated, is idiotic.

    With "multiple universes" it would be an equivalent of "discovering" that yes, other universes may exist, but to achieve any effect of them on "our" Universe, it would be necessary to rearrange all matter in our Universe to duplicate the Universe we are supposed to interact with. No shit Sherlock!

  16. Re:Long on Rhetoric on Firewalls Make DDoS Attacks Worse · · Score: 1

    I am sure, there are "high-performance" firewalls that are servers in disguise, and there are clever tricks that make firewalls become stateless packet filters when they are overloaded.

    But then the question is -- if those firewalls can be made "better" by dropping their supposedly security-critical functionality when they detect that they are being "attacked", what excuses do their vendors have for implementing this functionality at all? Doesn't it make them into expensive packet filters with security blankets bundled with them?

  17. Re:Long on Rhetoric on Firewalls Make DDoS Attacks Worse · · Score: 1

    SYN flood takes out everything stateful and can't take out anything stateless.

    The idea of SYN cookies was to keep protocol stateless (from the server endpoint's point of view) until the moment when client spent more resources on keeping its state than server did, so SYN flood DoS won't work. SYN flood would still succeed if server is behind a firewall that keeps state for everything that looks like a connection (that starts with a SYN) even if server does not. So yes, in simple SYN flood scenario server without a firewall will withstand the attack while sophisticated firewall that keeps state to perform NAT or various kinds of pseudo-security traffic analysis guesswork won't. A simple firewall that performs stateless packet filtering will not affect the outcome either way.

    However DDoS is a step beyond SYN floods. DDoS works even if clients have to spend much more resources than the server does, because there are so many of them. SYN cookies will prevent server from exceeding the memory available for keeping state until the point when there is more legitimate state information than it can handle, but DDoS zombies will just create a large number of perfectly legitimate connections with perfectly legitimate state -- they act exactly like the clients they are trying to displace.

    Without a firewall, server is overloaded, and with a firewall both server and firewalls are overloaded, so what is the difference? Actually there may be some. Firewalls simply have less resources available, and they often waste their processor time and memory by looking for "known bad" data patterns. DDoS does not contain any of those because it imitates legitimate clients, however time and memory spent on looking for things that are not there, and limitations on the size of tables that keep state, limit the number of connections the server can have at the same time, so DDoS resistance is decreased. By how much, depends on performance and "sophistication" of firewall. The smaller and "smarter" is the firewall, the more likely it will become a bottleneck.

    Ideally, a stateless router should filter out "known bullshit" packets, and server should be fast and simple enough to respond with minimal latency, thus reducing lifetime of connections, legitimate and DDoS alike. The server may actually be a frontend or cache before a backend, and backend should run on firewalled/isolated subnet behind it. Such setup will still be vulnerable to sufficiently large DDoS, but it will be far superior to a firewall plus server, each maintaining state of everything and keeping connections open forever.

  18. Re:So... on The Hidden Reality Draws Ire From Physicists · · Score: 1

    In 1800 they would not know what Helium is, leave alone how it can or can not be produced.

    More to the point, radioactivity and other nuclear reactions were discovered in late 19th century. Before that time, any idea of "transmuting" elements would not be applicable to anything known to mankind, and therefore not worth considering -- any expected form of "transmutation" would have nothing in common with nuclear reactions. After discovery of radioactivity it did not take long to understand its nature and relationship to transforming one nucleus into another.

  19. Re:Designed for Windows? on DreamPlug ARM Box Brings Power To Plug Computing · · Score: 1

    And yet most netbooks produced now are Microsoft/Intel, despite being pioneered by Linux/ARM and at some extent Linux/Intel. Android (a pretty shitty branch of Linux, to be honest), became a king on devices that either Microsoft can't take over (smartphones, TV) or that no one really cares about because their functionality does not justify their physical size, leave alone price (tablets).

    So I am afraid of repeating the same pattern that happened before -- companies' management decides to start development on a Linux platform, fully expecting to abandon it at some point, and shift to REAL, SERIOUS BUSINESS PLATFORM THAT EVERYONE LUUURVES -- Windows. This is what destroyed first generation of OLPC, this is what wiped out first wave of handhelds (when they were called PDA), etc. Before Microsoft announcement, if a company decided to produce an Intel-based small device, it was likely that they expect to support Windows, and if it decided to produce an ARM-based one, it was reasonable to expect that decision-makers are not planning to pull a switcheroo to Windows once Linux developers picked up all hardware bugs and produced reference implementations for all required drivers.

    Now things are not so clear. Not that it is reasonable to expect that Windows-based device will be more successful. I fully expect all "Windows on ARM" devices to destroy the companies that placed their bets on them, just like it happened with each and every version of Windows CE before smartphones. But companies' management can keep their faith in Windows just long enough to drive those projects into the ground while reducing Linux support to the status of "unofficial firmware", similar to iPAQ.

  20. Designed for Windows? on DreamPlug ARM Box Brings Power To Plug Computing · · Score: 0

    Am I being paranoid, or there is suddenly huge increase in ARM-based consumer products announcement right after Microsoft promised that THIS TIME their ARM-based product will be good?

    Are we looking at another Itsy (that became a Windows-CE-only iPAQ)?

  21. Re:Not that suprising. on Bing Is Cheating, Copying Google Search Results · · Score: 1

    You forgot the part about search term not appearing anywhere other than the Google page.

  22. Re:Terrible. but very Microsoft on Bing Is Cheating, Copying Google Search Results · · Score: 1

    Considering the retarded way how Microsoft "improves" things, I would be happier if it just copied them.

  23. Re:Not surprised. on Bing Is Cheating, Copying Google Search Results · · Score: 1

    Can you read? Microsoft did not imitate Google algorithm, they copied the results verbatim, including the nonsense ones.

  24. Re:Oh yeah? Well there's a universe... on The Hidden Reality Draws Ire From Physicists · · Score: 1

    Hey Faggots,

    My name is John, and I hate every single one of you. All of you are fat, retarded, no-lifes who spend every second of their day looking at stupid ass pictures. You are everything bad in the world. Honestly, have any of you ever gotten any pussy? I mean, I guess it's fun making fun of people because of your own insecurities, but you all take to a whole new level. This is even worse than jerking off to pictures on facebook.

    Don't be a stranger. Just hit me with your best shot. I'm pretty much perfect. I was captain of the football team, and starter on my basketball team. What sports do you play, other than "jack off to naked drawn Japanese people"? I also get straight A's, and have a banging hot girlfriend (She just blew me; Shit was SO cash). You are all faggots who should just kill yourselves. Thanks for listening.

    Pic Related: It's me and my bitch

  25. Re:So... on The Hidden Reality Draws Ire From Physicists · · Score: 1

    Considering that it was made by a monk to describe how things should work beyond the scope of religious belief, I am sure that "misinterpreted" version is actually a better one.