[fw-wiz] re: Why blocking bogons buys you nothing

From: Mike Hoskins (mike_at_adept.org)
Date: 11/11/03

  • Next message: David West: "[fw-wiz] Re: Pix 501 configuration question"
    To: firewall-wizards@honor.icsalabs.com
    Date: Mon, 10 Nov 2003 15:44:51 -0800 (PST)
    
    

    From: Mikael Olsson <mikael.olsson@clavister.com>
    To: Barney Wolff <barney@databus.com>
    Cc: firewall-wizards@honor.icsalabs.com
    Barney Wolff wrote:
    > On Sun, Nov 09, 2003 at 07:07:10PM +0100, Mikael Olsson wrote:
    > > 40-50% is not "significant" for a DDoS in my opinion. Especially
    > > not if you're doing it on the wrong end of your Internet connection.
    > Depends on your goal. If your goal is immunity from every DDoS, yes.
    > But that goal is unattainable by any means. If your goal is to reduce
    > the frequency of outages caused by DDoS, 50% is significant, because
    > not every attack will come from the most powerful attacker.

    50%... How long is a piece of string? Like Barney tried to point out,
    50% can be a whole lot (wrt local server bandwidth).

    > And not every attack will come from DDoS slaves that spoof their
    > source IPs. And not all of the spoofing slaves will use completely
    > random source IPs.

    He didn't say they would, unlike you who tried to say something does
    absolutely no good for everyone all the time. The point is, you drew some
    good conclusions but tried to make it apply everywhere all the time.
    That's not the way the world works, epsecially the networking world. What
    you need to do is be intelligent and think about the pros and cons of what
    you implement on your networks. What applies at one site may not apply at
    another, blah blah blah. So, a good study, but one that needs to be read
    with "common sense" like any other.

    > I've been on the receiving end of about half a dozen DDoSes so far.
    > None of them used randomized addresses.

    "A grenade landed about 15 ft. from me once and I escaped unscathed...
    Therefore, I let people throw grenades at me all the time."

    Be as cautious as you wish with your network, and I'll do the same.

    -mrh

    --
    From: "Spam Catcher" <spam-catcher@adept.org>
    To: spam-catcher@adept.org
    Do NOT send email to the address listed above or
    you will be added to a blacklist!
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: David West: "[fw-wiz] Re: Pix 501 configuration question"