[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SOI: identity protection and DOS
Sandy,
I should be more elaberate that "the attaker has to spend more
resource than the been attacked".
The DDOS is a good example for attacker to leverage weak secured
computing resources to attack the been attacked.
However, if this happens, the attacker still require the skill/resource to
have
extra effort (than those does not) and leave more trace behind.
The been attacked must be valuable and with large resource in command.
If the attacker have to spend more or equal resource,
it will leave a much larger trace behind.
--- David
----- Original Message -----
From: "Sandy Harris" <sandy@storm.ca>
To: <ipsec@lists.tislabs.com>
Sent: Tuesday, November 20, 2001 2:19 PM
Subject: Re: SOI: identity protection and DOS
> david chen wrote:
> >
> > The IPSec is id-protection first (DH-key exchange) then authentication.
> > As long as can device a mechanism that the DDOS attacker has
> > to spend larger or equal amount of resource than the been attacked,
> > it will be home free.
>
> Not really. That'a a reasonable goal, and may be enough to stop an
attacker
> with limited resources, but you're hardly "home free".
>
> For one thing, many IPsec gateways are fairly limited devices -- older
> machines recycled as FreeS/WAN or *BSD gateways, low-cost dedicated
devices,
> routers that may be older or bottom-of-line models, ... -- and methinks we
> do want those devices to be secure and reliable if possible.
>
> Also, an EvilDoer is not constrained to use only his own resources. He
> can fairly easily find a few dozen badly administered machines around
> the net, subvert them, and use their resources to attack you. At that
> point, he both has more resources than you and isn't paying for them,
> so if you want to stop him via resource constraints, then the attack
> has to be really expensive.
>
> What if he writes a virus and gets thousands of infected machines to
> attack you?
>
References: