Re: Groklaw's "Bias" and the SCO DDoS Attack
From: Bill Vermillion (bv_at_wjv.comREMOVE)
Date: 12/14/03
- Next message: donais: "mailing out of SCO openserver"
- Previous message: Tom Parsons: "Re: Problems adding second NIC Reply-To: scomsc@xenitec.on.ca"
- In reply to: Jeff Liebermann: "Re: Groklaw's "Bias" and the SCO DDoS Attack"
- Next in thread: Jeff Liebermann: "Re: Groklaw's "Bias" and the SCO DDoS Attack"
- Reply: Jeff Liebermann: "Re: Groklaw's "Bias" and the SCO DDoS Attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Sun, 14 Dec 2003 15:35:01 GMT
In article <9laotv85umker16ih050vhu36roe5sd8a8@4ax.com>,
Jeff Liebermann <jeffl@comix.santa-cruz.ca.us> wrote:
>On Sat, 13 Dec 2003 14:35:00 GMT, bv@wjv.comREMOVE (Bill Vermillion)
>wrote:
>>And worst case if the ISP is not a top tier they often have smaller
>>pipes and the attacks fill the pipes and cause all the other ISP
>>customers to have problems.
Regarding the above in reference to 'top tier'.
>There are three failure mechanisms.
>1. Fill up the downstream pipe with junk packets.
My machines will fall over before the downstream pipe fills up.
They all uplink at 100Mbit and if we ever hit 50Mbit/sec
on a 95th percentile we automatically get moved to 1Gbit uplinks.
It would take a concerted mass attack to clog that pipe. A long
time ago when we had service from Agis they went under attack
because they would not harness Spamford Wallace - and their main
routers went down - and the subsequently moved from Cisco to
something else. But in those days 10Gbit transports networks
weren't in place - and they were probably on nothing more than
something like an OC-12.
>2. Busy out the server delivering bogus web page requests.
Yup. And if I'm not mistaken if the server is behind a firewall
on the same local LAN your office machines are you can congest that
LAN - again providing you have incoming links fast enough to make a
different - which is not that common.
>>The concept of public <-> dmz <-> protected seems to be overlooked
>>by many. You can put your web servers in the dmz and still not
>>affect your local net.
>Well, a dual firewall, with a DMZ full of public servers in between,
>with sacrificial honey pot servers, and with an intrusion detection
>system, will be far more secure than a single firewall. I suppose
>such systems exist, but I've never seen one. My customers are too
>small to afford it. The lack of such a system is not a sign of
>incompetence.
You've never seen one? It takes ONE machine - at least a 486 -
three NIC cards - and $995. [That was the price when I first saw
it].
GTA - Global Technology Associates - started with a program
called the Gnat Box. They are local and I guess I'm mor familiar
with them than most because back in Thee Olde Dayze - before they
got their own connections - my machine was handling their email.
Paul Emerson - owner - had the first and for awhile the only SW
fully ICSA certified firewall. He's branced out into drop in
boxes but the original is still there.
I don't think $1000 is too much for a fireall and many of the the
small business solutions in HW cost far more than that.
Maybe it's just that people don't know they exist. I do know that
for the first 2 or 3 years - when people weren't so concerned with
security in the US that the vast majority of Paul's systems
were in large to extremely large foreign corporate installations.
He still a regular at CeBIT the last I heard.
[We've had some interesting thing in Orlando - at one time
referred to as Silicon Swamp.]
We had one client [who wound up being a dot.bomb] who had a matched
pair of HW devices and a tunnel from their development site to the
servers in our racks.
The front end were a pair of redundant Sun Netra - running Apache -
in the DMZ were two machines running WebObjects and in the protected
network the Oracle data bases servers that WebObjects retrieved data
from and then passed on to the Netras. Those dedicated GTA devices
were about $2400 at the time - I don't know current pricing - but
you might take a look at their site - GTA.com
I have NO financial interest - but I've known the people there for
almost 10 years. Small company but exceptionally reliable
products.
>>You can make your public face a sacrificial lamb too. One old SCO
>>client when the moved to the dot.bomb environment had Suns on
>>the public IPs to handle the first web requests - which then went
>>to WebObjects servers in the dmz - which then queried the Oracle
>>database in the protected network. I don't know why so many don't
>>seem to follow this philosophy any more. And if they don't and have
>>problems it's their own damn fault.
>>These are my observations, but do you see any holes in those
>>arguments.
>No holes, just some comments.
>1. The non-routeable IP's are usually a side effect of having two
>IP's on a single ethernet interface.
And I've seen people who might be considered anal retentive put
their own servers behind their firewall on their own local LAN.
>From my POV that has the potential for disaster if someone breaks
the web server.
>2. Dual firewalls are a big improvement in security. SCO might be
>able to afford and manage such a system. My customers can't.
Well $995 [that was the price] isn't that expensive when it comes
to security.
>3. I'm a big fan of 'single application servers' which largely follow
>what you describe.
Absolutely. Not having enough to have duplicates of everything I
run the secondary MX on another machine - but no machines are doing
more than two things.
>4. I don't think the DDoS attack is making it through the firewall.
>My guess(tm) is that the LAN side performance hit is coming from some
>necessary service (DNS, mail, local web pages), are resident on the
>gateway. Moving them to a more protected machine will probably
>eliminate the performance hit.
If the web server is on the inside I can see why they would
have internal LAN problems. Look at how badly the Slammer slowed
down internal systems as well as network systems. But since we do
not know the full configuration we'd just have to guess.
I don't know how things are now - but in the past the pipe to the
SCO servers looked like it was no more than a T3 - and years ago
that was adequate - but for any decent sized company and with the
widespread use of broadband - I can't see doing that for publicly
accessible tech sites. But then again - after working in/on
the fast side for the past 3 years I am more than a little
prejudiced.
In closing, do check out www.gta.com when it comes to firewalls
including DMZ.
Bill
Bill
-- Bill Vermillion - bv @ wjv . com
- Next message: donais: "mailing out of SCO openserver"
- Previous message: Tom Parsons: "Re: Problems adding second NIC Reply-To: scomsc@xenitec.on.ca"
- In reply to: Jeff Liebermann: "Re: Groklaw's "Bias" and the SCO DDoS Attack"
- Next in thread: Jeff Liebermann: "Re: Groklaw's "Bias" and the SCO DDoS Attack"
- Reply: Jeff Liebermann: "Re: Groklaw's "Bias" and the SCO DDoS Attack"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
