RE: Your counsel on defeating DDOS Attacks

["Prosser, Mike" <mike.prosser@L-3SECURITY.COM>]

Many good responses from the board to this proposal.
Just wanted to add some thoughts I had as well.  I think we are reaching the
point where we are going to have to have some set of "standards" if you will
to judge or measure a company against to ensure they are doing "due
dilligence" prior to trusting them with your business.
Consider the parallel of the traditional, non-wired world....before you do
business with someone you want some idea of how the transaction will take
place, how will they care for your property, be it your car in a garage, or
your money in a bank.  There are standards established by which each can be
evauated.  If your manufacturing business is going to depend on a supplier
for parts then you would evaluated their operations to ensure that they meet
proper standards or you won't do business with them.

Without getting too long winded here....I think,we are moving toward
something along the lines of BS7799- or NIST-like standards by which we can
measure adherence to proper procedure (whatever those will become).  If a
software company or an e-commerce company is going to do business, do they
meet standards, have they done "due dilligence", if not then they should
eventually disappear from the market as no one will trade with them.

Who is going to set these standards, enforce them....I don't know the answer
to that one.  Do we have "big government" set the standards?  That's how
BS7799 is being driven in Britian, but how would that fly elsewhere?  Do we
make the standards voluntary? Anyone who wants to abide by them can, those
that don't won't....no teeth, how do you enforce those? Somewhere in between
is my best guess.
I don't have the answers, just questions and thoughts.  But, I feel it will
be necessary to address this issue eventually as well, maybe sooner than
later.

Just my $.02 worth

-mike
-----Original Message-----
From: Steven M. Christey [mailto:coley@LINUS.MITRE.ORG]
Sent: Thursday, February 17, 2000 5:33 PM
To: cve-editorial-board-list@lists.mitre.org
Cc: gjg@MITRE.ORG; wrg@MITRE.ORG; ptasker@MITRE.ORG; ckrause@MITRE.ORG
Subject: Re: Your counsel on defeating DDOS Attacks


Alan,

A few of us at MITRE got together and have the following comments on
your proposal.

In our opinion, while some of the proposal may be "dreamy" as Craig
put it, the extra attention being paid to security right now could
help to establish this or subsequent documents as a "best practices"
recommendation which could then be enforced - either through
embarrassment as suggested by Pascal, by legal measures for a victim
company to force an attacking company to pay damages because they did
not perform due diligence, or for governments and large organizations
to use in their own requirements (e.g. by not purchasing products if
OS vendors don't configure systems securely out-of-the-box, or if
software vendors don't follow certain secure programming practices).

- Steve



====================
Key Trends Section
====================

Here are some suggested modifications.  We've cross-referenced some of
these points to ease their integration into the paper.

Additions
---------

1) Many times, machines are compromised in the first place because
programmers do not know how to write secure code, or security is
sacrificed in favor of new functionality.

2) New models of interactivity are widely deployed without paying
sufficient attention to security and control.  (E.g. the Melissa virus
and mobile code in general).

3) The volume and variety of information available, from a wide number
of sources, is extremely difficult for a system administrator to deal
with.  In addition, the size and diversity of computer networks makes
keeping up-to-date with security extremely difficult.  "Owner
carelessness" is not the only problem.

4) Often, security is not a corporate priority, which means that it is
under-supported financially.


Modifications
-------------

6th bullet - Many systems are configured to run unnecessary services
by default.  In turn this makes them useful as attack points.  Many
"everyday users" may thus become unwitting participants.



=======================
Immediate Steps Section
=======================


Additional Steps
----------------

Problem 4 (Unprotected computers):

1) Disable all unnecessary services on your systems.  While it's not a
panacea, a large number of systems have vulnerabilities in services
that aren't even necessary.

2) Each enterprise should create their own "top 20 list" of the most
important vulnerabilities that MUST be fixed by the enterprise.  (This
is more of a grassroots approach than creating a top 20 list based on
community consensus, which could be difficult to define for all/most
networks.)

Modifications
-------------

Problem 4 (Unprotected computers):

3rd bullet - All software vendors should (a) establish clear,
easy-to-use methods of distributing all security-related patches, and
(b) provide a distinct public acknowledgement when a problem arises.
This is currently the case with most major OS vendors (at least for
most significant problems) although it does not necessarily scale
well, but it is a problem with third party and minor vendors.


=========================
Long Term Efforts Section
=========================

Additions
---------

1) Encourage the widespread use of strong authentication.  Encryption
is mentioned in the proposal, but not authentication.

2) Programmers are strongly recommended to use or build tools that
help them to detect and avoid vulnerabilities during the software
development cycle.

3) Fund research into security assessment tools which are as easy to
use and deploy as anti-virus checkers (this is a long-term approach to
producing "system-hardening scripts" as described in the immediate
steps section).


Modifications
-------------

1st bullet (IP v6) - If you want to keep this paper strictly related
to DDoS (instead of including how to secure zombie/slave systems in
general), then consider removing or reprioritizing this bullet, which
doesn't curb spoofing or DDoS attacks.


Some of these ideas are the result of email exchanges with various
Board members.  All Board members, please feel free to add your
comments.

- Steve