[AusNOG] NBN must avoid becoming 'failed state'
David Hughes
david at hughes.com.au
Sat Sep 18 21:09:25 EST 2010
On Sat, Sep 18, 2010 at 07:23:03PM +0930, Mark Newton wrote:
>
> On 18/09/2010, at 12:07 PM, David Hughes wrote:
>
>> Security BCP's should be implemented regardless of the available bandwidth, however the end result of malicious use of unsecured networks will be much more significant when your outbound capacity increases by more than an order of magnitude.
>
> Sounds like the same stuff we were all talking about when ADSL started
> taking over from dialup.
>
> Didn't really happen. Speaking holistically, it's hard to argue that the
> state of the security art is any worse now than it's ever been.
Can't say I can agree with that Mark. I reckon it did happen. In the days of Dial-up, the outbound capability of the average compromised machines was so limited that the target of a DoS attack was pretty much restricted to other dial-up clients. V.90 only gave you 33k outbound so you'd need a metric shedload of compromised machines to do any significant damage to a well connected content source.
With the advent of ADSL, the dramatically increased outbound capacity means that a botnet can now have a pretty good crack at a tier-1 web property or the root nameservers. Take that to an NBN environment and you have gone for a 20:1 outbound ratio at 20mbps to a 2.5:1 ratio at 100mbps. I'd suggest that even a single NBN attached machine could do significant damage to an "average" web site.
So I stand by my autobahn analogy. The problem has always existed. But at higher speeds it just more dramatic (or a dramatic outcome is much easier to achieve).
David
...
More information about the AusNOG
mailing list