Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror

Comment: Re:Best be a Coward for 5 minutes........ (Score 1) 217

by fwr (#35074696) Attached to: Firewalls Make DDoS Attacks Worse
A successful DDOS attack makes actual, valid, requests to the victim host. If it is a web browser, then it makes actual HTTP requests, possibly to the home page, possibly taking a random URL off that home page, in the same domain, and crawling the web site. Simply replying with an Ack isn't going to do squat. There are services out there that can scrub the requests for you. I'm not going to mention the name of the company, but you can research it if you want. Basically, once you sign up traffic normally goes to your site. However, if you are attacked they can use BGP to make your traffic go through their systems, and they scrub the traffic using proprietary methods, and only send clean non-DDOS traffic to your site. There are other things you can do also, if you have the right gear. You can inject a HTTP cookie if you get more than x requests from a particular IP address within y seconds, and then any future requests may get dropped (if you have a complying web browser or HTTP stack on the other end). Or, you can just keep a list of IP's that appear to be infected and drop the traffic if it is from those IP addresses. That's what is behind Cisco's and TippingPoint's, and just about any other decent IPS vendor's "reputation services" or whatever they brand it as. There is a lot you can attempt to do about DDOS, but "simply replying with an Ack" isn't a good one.

Comment: Re:Definition, please (Score 1) 525

by fwr (#34792398) Attached to: Bufferbloat — the Submarine That's Sinking the Net
I'd say it is more of a problem of incorrectly configured QoS, or hardware with insufficient QoS capabilities, rather than large buffers. Obviously they are not using WRED or other methods, or the thresholds per queue are set too high to activate WRED or other packet drop mechanisms. This results in the buffers always being near 100% full, during periods of congestion. There are a slew of QoS capabilities on different hardware from different manufacturers, and even from the same manufacturer. Cisco, for example, has different QoS capabilities on almost every different piece of hardware they sell. So, you have to be fairly diligent that you are configuring QoS correctly on each individual piece of equipment, many of which will have very different capabilities, to be able to ensure an overall QoS strategy for the whole network.

However, this proper functioning of QoS is, as anyone who really knows QoS, dependent on the proper configuration on every node in the network. If you are talking VoIP, for instance, just one improperly configured node, or even a single link on a node, can break QoS on the entire network (or at least flows going through that node/link). Since most cheap home equipment does not have configurable QoS settings, or at least not to the extend that Internet infrastructure devices do, they may well be part of the problem.

However, as far as the Internet infrastructure devices, if Comcast, or any other ISP, is suffering from "buffer-bloat" on their equipment I'd blame them for not configuring QoS appropriately.

Comment: Re:No shit, sherlock? (Score 1) 390

by fwr (#34524006) Attached to: 'Anonymous' WikiLeaks Proponents Not So Anonymous
You don't really know what you are talking about, do you? Tail bits? That's going to get you around egress filtering? Also, as pointed out by others, ISP's do ingress filtering, not egress. Egress filtering is what companies that have their own firewalls and/or routers are encouraged to do, but the ISP should be doing ingress filtering also.

Comment: Re:/. snottery (Score 1) 212

by fwr (#34138736) Attached to: Microsoft Open Sources F#
Oh come on. Not speaking for anyone else or any particular comment, I'd guess 90% of the snotty responses are in jest. One thing we do know, is that snotty responses get the attention of MS, and upset them. So, even if MS does something worthy of praise, the amount of praise would likely never exceed 10-30% of total comments, just because we like poking MS.

There is also the "once bitten twice shy" syndrome. MS has such a horrible past that even when they do something worth of praise it is very difficult to trust that there is not some hidden scheme with ulterior motives. So please understand forgive if us /. snots continue to have fun at the expense of MS.

Comment: Re:Can Zen Magnets sue? (Score 1) 475

by fwr (#33676234) Attached to: Countering a DMCA Takedown In the Magnet Wars
With the usual caveat of IANAL, I don't believe the voicemail is the property of Buckyballs. They left the voice mail, but they left it on someone else's voice mail system. The recording is owned by the receiver of the message, not the sender. Now if the message were recorded on a tape, CD, or some other device, and the device was sent to the recipient, I suppose an argument could be made that the original recording is copyright Buckyballs, but not a traditional voice mail. There is probably relevant case law on the matter, but again IANAL. As far as the images, that all depends on where they were obtained from. Many, if not most, social networking sites, which I'm assuming these were grabbed from, explicitly state in their terms that you give up copyright on anything that you post. So even the images may, in fact, be non-infringing. So, there are really two issues here. One issue is the original complain in the voice mail, which I don't believe BuckyBalls has a leg to stand on in court. The second issue is the use of copyrighted material (the voice mail and the images of the BuckBalls guy acting like an idiot), which BuckyBalls may or may not have a valid claim on. Don't confuse the comparison of the products with the DCMA take down notice. Cheers!

Comment: Re:so, not a hole (Score 5, Interesting) 213

by fwr (#33017702) Attached to: Wi-Fi WPA2 Vulnerability Found
Sigh. Understand the protocol before commenting, or at least RTFA. There IS an individual key per user. But, there is also a shared key used for broadcast traffic. The problem is that the shared key is not authenticated, so a user who knows the shared key (i.e., anyone with access to the wireless network), can use the shared key to spoof the AP and send messages to other users, and force them to give up or change their unique per-user keys. A "fix" would be getting rid of the shared key for broadcast, but that would require the AP to send a separate "broadcast" packet to each user individually, using their unique per-user key, instead of just one packet.

Comment: Re:I don't understand how it could be possible... (Score 2, Interesting) 213

by fwr (#33017670) Attached to: Wi-Fi WPA2 Vulnerability Found
There is an out-of-band key exchange. It is called a trusted certificate. You know, just like how HTTPS works. This is for WPA2 Enterprise, of which there are many different EAP methods possible, but for which most do include an out of band key exchange (i.e., certificates, or EAP-FAST PAK). In any case, there's also the old DH key exchange, which worked fine for IPsec for years.

Comment: Re:probably a bit ignorant here (Score 2, Insightful) 341

by fwr (#32163974) Attached to: Methane-Trapping Ice May Have Triggered Gulf Spill
The amazing thing is, if we allowed ocean drilling much closer to shore we wouldn't have these problems. One, the depth would not be so great that the pressure created these methane and ice / sludge pockets. Two, a leak, if one were to occur, would be much easier to contain. You could actually send someone down to fix the problem if it were close enough to the shore. You are not sending someone down under 5000 feet of water... So, ironically, it is the wacko environmentalists that are to blame for this situation. Their answer? Either don't drill at all, or if you do, drill even further out, where the problems are even greater. Yea, that makes a lot of sense...

Comment: Re:But your U.S. prices do not include tax (Score 1) 248

by fwr (#32136110) Attached to: iPad UK Pricing Confirmed; Apple UK Tax Applied
I think you are confusing the effort by some states to require companies to collect the use tax, and the requirement to pay the use tax in the first place. As far as I know, it is pretty clear that individual citizens are required to pay use taxes for items they purchase out of state. It has generally been up to the individual citizen to report and pay the use tax. States have recently attempted to get companies to collect and pay the use tax for citizens, because there is so much fraud when it comes to the use tax (people just don't voluntarily pay it, when is the last time you did, or know anyone who did?). I may be mistaken. My understanding is that a use tax would be unconstitutional. States are not supposed to have import/export taxes for trade with other states. That is what the inter-state commerce clause is all about, not the twisted definition that the SCOTUS dreamed up many years ago. Rather, it is to make trade "regular" (occurring normally and without impediment of additional taxes or levies imposed by states).

Loan-department manager: "There isn't any fine print. At these interest rates, we don't need it."

Working...