Re: Groklaw's "Bias" and the SCO DDoS Attack

• Previous message: Stuart J. Browne: "Re: Are there simply inharent problems with SCO 5.0.6 IP printing ?"
• In reply to: Jeff Liebermann: "Re: Groklaw's "Bias" and the SCO DDoS Attack"
• Next in thread: Bill Campbell: "Re: sco-list: Re: Groklaw's "Bias" and the SCO DDoS Attack"
• Reply: Bill Campbell: "Re: sco-list: Re: Groklaw's "Bias" and the SCO DDoS Attack"
• Reply: Jeff Liebermann: "Re: Groklaw's "Bias" and the SCO DDoS Attack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Date: Sun, 14 Dec 2003 23:45:01 GMT

In article <kn6ptv4d2g4lm20l6o1fllnt9djrg3br16@4ax.com>,
Jeff Liebermann <jeffl@comix.santa-cruz.ca.us> wrote:
>On Sun, 14 Dec 2003 15:35:01 GMT, bv@wjv.comREMOVE (Bill Vermillion)
>wrote:

>>Yup. And if I'm not mistaken if the server is behind a firewall
>>on the same local LAN your office machines are you can congest that
>>LAN - again providing you have incoming links fast enough to make a
>>different - which is not that common.

>I left out saturating the router. Many web servers are cheap NAT type
>routers, with port 80 redirected to a web server on the LAN side. Add
>a few complex ACL rules and the router will choke before the server
>overloads. My guess(tm) is that SCO doesn't do it that way. However,
>my last visit to a large server farm showed a substantial number of
>cheap routers hanging in back of a 2ru server.

Gack! I've seen some pictures of places like that. Little towers
on shelves, open racks in cages, wires everywhere. Struck me
that cost was the goal and not reliability. OTOH were I have my
servers you can't even tell what is in the rack next to you unless
someone happens to be working on them as the doors are all solid
front and back. The only things you can see are the cages -
usually 8 or 10 feet by 14 feet.

I've only been in a half-dozen facilities - and of the ones I've
been in only Uunet in McLean VA had racks where you could see what
was in them as the doors were smoked Plexiglas. Last year a woman
was installing equipment in a cage - it may have been Teradata
OC-192s as I recall - and I asked "Just how much is this worth"
She said "I don't really know but the one I installed in Miami last
month was $14 million". Sound like the opposite end of the places
you describe.

>A fast glance at the racks appeared to indicate that many of
>the servers had no independent firewall of any kind between the
>switch/router and the web server and probably rely in a software
>firewall of some sort.

There is one school of though if it a dedicated single purpose
machine and you have it tightened down it can be directly on the
net.

>>You've never seen one? It takes ONE machine - at least a 486 -
>>three NIC cards - and $995. [That was the price when I first saw
>>it].

>I've built my share of FreeSco and LRP firewalls. I've setup
>a DMZ port on these for servers. I've also used Sonicwall DMZ
>routers. However, be advised that there are two flavours of DMZ.
>One is a real DMZ, between two routers, where access to the
>servers in the DMZ are still subject to the firewall rules of the
>outer WAN router. The other has no dedicated port, and assigns
>a single NAT LAN side IP address that has no filtering rules
>applied of any sort. The former is a classic dual router plus DMZ
>incantation and offers proper security. The latter is found on
>cheap NAT routers.

There is still a 3rd class then. Those are machines with 3 or 4
NIC cards - and with nothing running on them except firewall/router
SW - so you have the equivalent of the above. Public on first
NIC. Second NIC connects to switch with the DMZ machines on it.
Then you have the protected net running off the 3rd NIC.

>That said, I actually have seen and setup Sonicwall DMZ routers.
>However, after tinkering with the topology and thanks to the rather
>odd way that SBC/PBI delivers 5ea IP addresses, it was decided to move
>the public web server out of the DMZ, and onto the LAN. What I was
>thinking is that I have never seen a real dual router plus DMZ setup
>where there really are two separate physically separated boxes. I'm
>sure they exist and server their purpose, but the class of customer
>that I deal with simply doesn't have the talent, resources, or need
>for such an arrangement.

As above - you can have the DMZ and separate nets all inside one
box - as each really is separated from the other.

>>I don't think $1000 is too much for a fireall and many of the the
>>small business solutions in HW cost far more than that.

>>And I've seen people who might be considered anal retentive put
>>their own servers behind their firewall on their own local LAN.
>>>From my POV that has the potential for disaster if someone breaks
>>the web server.

>Yep. The price of NAT "protection" is the lowest of the whole bunch
>of potential solutions. There's a place for those that always pick
>the cheapest.

Sort of like searching for the cheapest insurance policy and then
when you need to collect find the insurer has gone out of business.

>>Absolutely. Not having enough to have duplicates of everything I
>>run the secondary MX on another machine - but no machines are doing
>>more than two things.

>That's a good rule but does get expensive. I'm currently watching one
>company switch from my "single application server" philosophy, to a
>Windoze 2003 server, all thy eggs in one basket solution.

So when one thing breaks they all break. Sounds like something
a vendor talked them into.

> The inspiration was that the mix of OSR5, Linux, and W2K servers
>was so reliable, that nobody bothered to do any maintenance and
>upgrades. Eventually, things started to literally fail and die.
>So, they were forced to buy new hardware and didn't want to pay
>for transplanting multiple servers. So, their rent-a-wizard
>decided that the answer to all problems was Windoze 2003 server.
>I haven't seen the cost but it wasn't pretty. When finished,
>there will EVENTUALLY be a second backup AD server and a possible
>offite mirrored server, but all the single application boxes that
>have been puttering along nicely for 10 years will be history.
>They rejected my suggestion of "Tower of Babel" as an appropriate
>project name. This should be interesting.

I like that name.

>>If the web server is on the inside I can see why they would
>>have internal LAN problems. Look at how badly the Slammer slowed
>>down internal systems as well as network systems. But since we do
>>not know the full configuration we'd just have to guess.

>I'm not very good at probing past firewalls. However, the recently
>posted SCO DNS Zone transfer should give a few clues as to SCO's
>internal topology. For example, sorting the list by IP address will
>show which services are resident on the same box.

And I like to use multiple IPs all on the same box, so that if
I need to change something - or move a service from one box to
another - or put up a separate box - it's simply a matter of
unlaising one box and install that IP on another. We all have our
way of doing things. I'm the lazy type so I don't like to make
more work for myself in the future.

-- 
Bill Vermillion - bv @ wjv . com

• Previous message: Stuart J. Browne: "Re: Are there simply inharent problems with SCO 5.0.6 IP printing ?"
• In reply to: Jeff Liebermann: "Re: Groklaw's "Bias" and the SCO DDoS Attack"
• Next in thread: Bill Campbell: "Re: sco-list: Re: Groklaw's "Bias" and the SCO DDoS Attack"
• Reply: Bill Campbell: "Re: sco-list: Re: Groklaw's "Bias" and the SCO DDoS Attack"
• Reply: Jeff Liebermann: "Re: Groklaw's "Bias" and the SCO DDoS Attack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]