Please create an account to participate in the Slashdot moderation system


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Comment Re:Solution? (Score 1) 135

Actually, in cases like this it would make it worse. This is not the DoS of your youth with spoofed IP addresses. This is millions of bots making seemingly legitimate requests simultaneously. With UDP DNS requests are a single packet. With TCP you get a SYN, SYN ACK, and SYN before you even get to the part where you're making the query...that would dramatically multiply the number of packets for each query from each bot, or for that matter on a regular day from a legitimate user meaning the connections would just be that much closer to being flooded all the time.

Comment Re:First lesson (Score 1) 135

Except that in reality the way it works is that each customer of an ISP is assigned a network block of IPs. If you find that customer is spamming you could block the entire network block. This is effectively the same thing as blocking the single IPv4 address assigned to a customer. The spammer would either need a new block of addresses from the ISP or a new ISP, effectively the same situation you have now with IPv4.

Comment Re:First lesson (Score 1) 135

+1 There is so much undeserved hate for IPv6 because people haven't taken the time to understand it.

NAT is not a security solution. If you would put a NAT device between your network and the Internet you can put a firewall between your network and the Internet. Yes, someone could potentially learn a small amount about your internal topology, well if you call being able to identify possible subnets withing your network learning about the topology, but the little they can learn is of dubious use. You still have no idea how most of those subnets are connected to each other (if you disable ICMP at your firewall or otherwise block tracerouting of your network from the Internet you can even prevent more) and even if you did please explain what substantial advantage an attacker has knowing how subnets are connected? If they're going that far it's an APT attack against your organization directly and you're probably done for because they will likely just trick someone inside the organization into installing malware on the network allowing them inside access and you'd have the same problems on IPv4.

Most of the rest of the list sounds like whining about more things you would have liked to have seen done, not things that are actually worse in IPv6 compared with IPv4.

Comment Re: What's the Solution? (Score 1) 135

An Arduino is just an AVR microcontroller, the same chip found in many electroinc/IoT devices. Point being when does it become an IoT device? If I sell it? How about if I just sell it to a few friends? Maybe I make and sell a small quantity on etsy? etc. It's hard to draw a line about when it's an IoT device and when it's just me playing around with electronics.

Comment Re:What's the Solution? (Score 1) 135

I would maintain that's not possible. Attackers will just write software that mirrors normal user traffic accessing a site. It's simply the fact that millions of devices will be accessing the site at the same time that takes the site/service down. Just like ye olden days when nearly every site mentioned in a ./ summary went down. The fundamental problem is that a truly distributed denial of service attack is just a coordinated accessing of a site from a large number of hosts. The only difference between that and just a lot of people visiting your site is that one is coordinated. Good luck detecting the coordination.

Comment Re: What's the Solution? (Score 2) 135

1) Yes, poorly designed IoT devices make the problem worse but it's existed long before IoT came along. 2) What qualifies as an IoT device, every Arduino with an Ethernet/WiFi port? The code isn't on them until you program them... 3) If mass regulation of all network connected products is the only way we have a problem because you're never going to get global agreement on that and it's going to be nearly impossible to enforce.

Comment Re:What's the Solution? (Score 1) 135

Yes, this is effective against some subset of attacks. There was a good reminder/discussion of this on the NANOG list this morning. The problem is 1) probably pretty much every ISP which can be convinced to do this is already doing it at this point, the others are probably a lost cause and 2) this only prevents attacks where the address actually is spoofed. If a large number of compromised devices are running malware they can just make an overwhelming number of legitimate service requests en masse...

Comment What's the Solution? (Score 3, Insightful) 135

I've heard a lot of people today saying there's a problem. Several of the commenters (on Brian Krebs' blog for example, on the NANOG list for another, and probably soon here on ./) say we should do something to fix this so it doesn't happen again. What I haven't heard is a real proposal about what to do about stopping DDoS attacks.

Comment Re:Blocking is illegal, but this isn't... (Score 1) 176

First, note thought that I was using the firearms example as a hyperbolic one, it's a harder argument to ban them due to constitutional protection and even so we're just beginning to see erosion of the right to ban them. Electronic devices would be somewhere far down the list. Second, we're not talking about a parking lot here, we're talking about an already secured area where many other things are also prohibited.

Comment Re:There's plenty of space (Score 4, Insightful) 176

This. The FCC is important, RF regulation is important as spectrum is a shared resource and is not contained by walls, geographic boundaries, etc. Someone needs to be in charge of preventing interference and encouraging research of effective use of a limited resource.

Side rant, I think it was a poor choice to raise a bunch of money by starting the sell spectrum to cell providers in the 90s instead of licensing it to them as had been done before and is still done for most frequencies. The FCC has effectively ceded regulatory control of huge chunks of spectrum so now a lot of power is concentrated into a few companies that own spectrum and it's not necessarily in their interest to pursue certain RF research or new RF technology and we have no societal via governmental way to force transitions to new technology. Imagine if TV stations owned their spectrum, we might never have been able to force a HD digital transition.

Comment Re:Blocking is illegal, but this isn't... (Score 2) 176

Exactly this. What the University can't prohibit is someone on different property running a competing wifi network. If they allow some hotspots or allowed you to pay a fee to run your own hotspot I could see some creative arguments to be made. What you absolutely don't have a right to do is to carry whatever you want onto someone else's property. Take for example weapons bans which prohibit students from bringing knives to school, to Disney World, etc. You can tell people that they are not welcome if they bring X onto your property all you want.

Comment Re:So They think they have a license for that band (Score 1) 176

Sort of. I may not be allowed to regulate your Part 15 device (e.g. emission levels, etc.) but I can tell you not to bring it onto my property. There are absolutely private establishments which prohibit you from taking a cell phone, laptop, or just about anything else inside. There is no guaranteed right to bring anything you want onto someone else's property. Even guns, a right specifically enumerated by the constitution, can be prohibited from a private establishment.

Comment Re:The entire security of the internet (Score 1) 111

I think it's a substantial exaggeration to say that the entire security of the Internet relies on the root CA system. There are a lot of organizations and people running encrypted communications over the Internet that are PSK or internally signed certificates. Think VPN connections. While a lot of public services such as web servers, email servers do rely on a very flawed CA system my point is that even if the entire CA system crumbled (which would be bad as I haven't seen any legitimate proposals about what to replace it with) that would not be the end of security on the Internet.

Slashdot Top Deals

Remember: use logout to logout.