[AusNOG] NBN must avoid becoming 'failed state'

[Dobbins, Roland]

On Sep 19, 2010, at 1:26 PM, David Hughes wrote:

>  I reckon the relationship between "available bandwidth" and "sophistication required to DoS a target" is inversely proportional.

In many cases, though not all, this is true.

> Why?  The ISP isn't going to be proactive as it's just a client using all their outbound.  Like that doesn't happen these days with the widespread use of torrents etc.  So when the web property owner realises that they are off the air then the "New York Minute" will start - well, once you get through a few layers of helpdesk people who don't know what you are talking about.  So for an average company they could easily be off the air for a week because it's unlikely they'll be constantly visit their own site.  Given my more than cursory understanding of the average hosting company, they wont do anything until the client complains.  They'll just bill the excess traffic.

Correct - and the lack of situational awareness caused by inadequate instrumentation/telemetry coupled with the lack of ready mechanisms to effectuate mitigation, along with the lack of implementation of infrastructure self-protection mechanisms, increases the impact and collateral damage whilst reducing/eliminating the ability to squelch the threat.

> Correct - once the attack has been identified and reported to the hosting provider it can be easily mitigated.

Actually, this isn't nearly as commonplace at it should be.  I deal all the time with networks which are both targets and originators of attacks who, even if they finally figure out an attack is taking place, and even if they know the sources (they certainly know the destinations, heh), have no clue as to what to do and no way to go about doing it.

With NBN, there's an opportunity to mandate that the network elements themselves are protected against attack and subversion, and that the capabilities to protect the end-customer and the rest of the Internet against attack and subversion are inherent in all NBN-connected elements.

>  So sophisticated attacks are required against sophisticated targets.

I'd say that sophisticated attacks are required against sophisticated defenders, except when the attacker can achieve his desired result by bringing to bear such overwhelming unsophisticated attacks that the sophistication of the defender doesn't matter.

I'd further note that due to automation on the part of attack-tool vendors (for vendors they are, replete with 24/7 support helpdesks, maintenance contracts, et. al. which ought to be the envy of most commercial software ventures), the ability of unsophisticated attackers to mount sophisticated attacks against sophisticated defenders has increased exponentially over the last 15 years or so, with no end in sight.

>  With a nice fat FTTH connection, unsophisticated attacks will work against unsophisticated targets.  We don't have that in our current environment.

Again, see the AusCERT presentation at AusNOG-04, the RoK/USA DDoS attack presentation from AusNOG-03, et. al.  The vast majority of successful attacks are in fact unsophisticated attacks against unsophisticated defenders; the attackers ratchet up their efforts against sophisticated defenders.

Rather, unsophisticated attacks will work even more effectively against unsophisticated defenders, and their ability to impact even sophisticated defenders will be magnified.

At the risk of being repetitive - just as while they themselves don't manufacture or operate privately-owned motor vehicles, government do in fact set standards for things like automobile safety, driving regulations, and so forth, they've the very same responsibility for doing so on government-owned and -operated network infrastructure.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

 	       Sell your computer and buy a guitar.