[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IPSEC Security Gateways & NAT



 David A.,
Agreed,
However,
Only the higher security system will have more resource and
will be highly visiable to community (the order could be reversed).

If this is a valuable IPSec server, the organization will
have alocated more valuable computing resource to it.

If the protocol design such a way that the (D)DOS attacker will
at least do such or more, then the
attacker will be equally located (due to consume lots of valuable resource)
as the responder.

It is better than require all ISP and POP trace all the "suspect" 
traffic which is in-effective and sacrifies the "privacy" that
the IPSec started from.

Regards,

--- David


-----Original Message-----
From: Aronson, David
To: 'Chen, David'
Cc: 'ipsec@lists.tislabs.com '; 'Hilarie Orman '; 'warlord@mit.edu '
Sent: 6/27/01 11:21 AM
Subject: RE: IPSEC Security Gateways & NAT

David Chen writes:

 > One idea of deter/defend a DOS attack is the attacker
 > (initiator) will use more computing resource than the responder.

But sometimes the attacking person doesn't care.  Imagine these
scenarios:

 - The attacker's CPU horsepower is greater than yours, by enough that
he
can drown you out without affecting too much whatever else he wants to
do.
This could be either because he has a much faster system, or because he
has
several systems attacking yours at once (i.e., a *Distributed* Denial of
Service Attack).

 - The attacking *system* (or group thereof) is not the property of the
attacking *person*, so the person doesn't care.  This is generally the
case
in a DDoS attack, launched via a number of zombies, and often the case
in
others, just for track-covering purposes.

 - The attacking system (or group thereof) is in fact a secondary
*victim*
of the attacking person, so the person is even *happy* that the
attacking
system is using up its CPU horsepower.

 - Lastly, don't forget the non-technical aspects.  Maybe the attacker
simply doesn't have anything better to do with his time.  (Mainly CPU
time,
but I suspect many skr1pt k1dd13s have nothing better to do with their
real-world time!)  He can thus essentially subtract his CPU horsepower
(or a
significant fraction thereof) from yours, without really being bothered;
in
fact, he may find it entertaining, at least more so than homework.

-- 
Dave Aronson, Sysop of free public Fidonet BBS Air 'n Sun,
+1-703-319-0714.
Opinions all MINE, not by
Cryptek/NRA/SCA/Mensa/HWG/LPUSA/CAUCE/FedGov/God!
See my web site, at http://listen.to/davearonson (last updated
2001-06-27).
Device-driver proggers: see http://www.cryptek.com and send me your
resume!