Cart
|
[XML-DEV Mailing List Archive Home] [By Thread] [By Date] [Recent Entries] [Reply To This Message] Re: Re: Can A Web Site Be Reliably Defended Against DoS Attack
 Just a short note here... On Fri, Feb 06, 2004 at 09:33:55AM -0600, Bullard, Claude L (Len) wrote: > From: Liam Quin [mailto:liam@w...] > >When you get to the point where a 14-year-old kid sitting at > >home can quietly infect tens of thousansd of Windows XP systems > >remotely, > > It is doable with Linux and Unix. XP systems offer the > juicy target for master/zombie attacks because they dominate > the desktops. This isn't about the virus; it is about the > systemic vulnerability to DDoS. I was overly terse, sorry. The point of XP is that the default home install lets you skip setting an Administrator password, without a good warning it seems, and enables file sharing. There _are_ Linux systems (e.g. Knoppix) that don't set a root password by default, but they are rare, and all the ones I've seen they're booting from CD, so there's limited possibility of installing trojans. I'm not sniping at Microsoft here, but mentioning XP because in fact they are the most commonly infected systems today, even though Win98 may in fact still be about as widespread on home desktops. > >and then use them all at once to send multiple gigabtes > >per second of network data at a single target, it's hard to see > >how any infrastructure could have coped. > > That is the point and thanks. As long as the Internet design > is that flaky, it is risky to tie the cetain systems > together with it. The WWW and the > press have to acknowledge this and to heck with the hindmost. We should work to make it more robust. But "mission critical" means something different to someone designing a nuclear bomb or a space rocket to bury WMDs on Mars :-) than it does to someone selling argyle socks. > >Or disconnect the user and send a bill. That would get > >people setting Administrator passwords on their XP systems, > >and turning off file sharing, and being careful before > >clicking on attachments! > > I agree with part of that, but once again, you indulge > the witless part of the agenda: let's clobber Microsoft. > Let's distract the discussion by invoking the devil. No, I am not calling Microsoft the devil, Len - nor, I hope, am I being devoid of intelligence here ;-) > XP systems are vulnerable but so are Linux > systems. So are Unix systems. So are Solaris systems. Not in the same way. They have vulnerabilities, but very few Linux or Solaris systems have an empty root password, and I've yet to encounter a Unix (or linux) distribution that enabled writeable file sharing by default. There are other architectural differences but I don't need to go into them here. It's not about the vendor... I happen not to like some of Microsoft's (past) business practices, I happen not to like some of SCO's (current) business practices, but this is technical, not political. It's a new class of vulnerability: the easy ability to install remote malicious software on massive numbers of computers sitting outside firewalls. If the dominant OS were MacOS or Solaris, we'd need to push on Apple or Sun to be very responsive with such problems. > >The ISPs could go further and reject forged email. Then > >the current wave of email viruses and spam (and viruses > >that are used for spammers to send email) would go away. > > But they have to look first and again, Gibson says such > forgeries aren't always detectable. Should we get rid > of anonymous accounts? XP could remove the raw sockets. The raw socket access was added as part of the antitrust settlement. Forgeries *are* detectable at the ISP, because the ISP knows what IP their customer has at the end of that cable or ADSL or dialup conenction, and hence an incoming packet saying it's from some IP not at the other end of that "leaf" connection is bogus and should be dropped. In the same way, mail claiming to be sent from some other ISP is clearly forged. This doesn't affect people using HTML mail services such as hotmail, but only outgoing SMTP connections, which some ISPs already disallow, thankfully. > The W3C priorities should reflect the immediate realities > and needs. What is the mandate of the consortium? "To lead the Web to its full potential"... Note, however, that TCP/IP and email are not within the mandate of the W3C - they are IETF specs. Go beat up on the IETF :-) Joking aside, I've been wondering for a while if this is an area where W3C could write up vendor-neutral white papers that may help legislators around the world. But we don't have a lot of resources to do such work, unfortunately. best, Liam -- Liam Quin, W3C XML Activity Lead, http://www.w3.org/People/Quin/ http://www.holoweb.net/~liam/ 
|
PURCHASE STYLUS STUDIO ONLINE TODAY!Purchasing Stylus Studio from our online shop is Easy, Secure and Value Priced! 
Download The World's Best XML IDE!Accelerate XML development with our award-winning XML IDE - Download a free trial today! Subscribe in XML format
|
|||||||||
