[AusNOG] NBN must avoid becoming 'failed state'

Andrew Fort afort at choqolat.org
Sat Sep 18 21:22:58 EST 2010 

On Sat, Sep 18, 2010 at 9:09 PM, David Hughes <david at hughes.com.au> wrote:
>>
>> Didn't really happen.  Speaking holistically, it's hard to argue that the
>> state of the security art is any worse now than it's ever been.
>
> Can't say I can agree with that Mark.  I reckon it did happen.  In the days of Dial-up, the outbound capability of the average compromised machines was so limited that the target of a DoS attack was pretty much restricted to other dial-up clients.  V.90 only gave you 33k outbound so you'd need a metric shedload of compromised machines to do any significant damage to a well connected content source.
>
> With the advent of ADSL, the dramatically increased outbound capacity means that a botnet can now have a pretty good crack at a tier-1 web property or the root nameservers.   Take that to an NBN environment and you have gone for a 20:1 outbound ratio at 20mbps to a 2.5:1 ratio at 100mbps.  I'd suggest that even a single NBN attached machine could do significant damage to an "average" web site.
>

And now that you can "kill anyone" with fewer bots, you just increased
the value of the botherders assets.  e.g., If I only need 5000
machines instead of 50k for a "single unit of pwn", I have 90% of my
infrastructure idle for making me more money.  I'm assuming the market
has sufficient demand for additional DDoS, but the point is any
additional packet-per-second makes the herders more money.  As we
know, ethernet networks are generally very effective at delivering
line-rate.  So expect DDoS to put heavy pressure on the G[x]PON OLTs.

> So I stand by my autobahn analogy.  The problem has always existed.  But at higher speeds it just more dramatic (or a dramatic outcome is much easier to achieve).

I think you're 100% right - the botherders will follow the money, and
they'll come to the NBN like they have to other hyper connected
societies, because it makes them more money to do so.  I read that as
Roland's message.

I'd like to see the NBNco talk about rate-limiting and other tactical
measures (such as temporary ACLs, pushback-like approaches and so on),
that can be triggered by RSPs via the API, as a way of rapidly
reducing the economic value of the end hosts attached to the NBN for
bot herders.  That'd be something they could be really proud of, I
reckon.

-a

More information about the AusNOG mailing list