[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Your counsel on defeating DDOS Attacks



Alan,

A few of us at MITRE got together and have the following comments on
your proposal.

In our opinion, while some of the proposal may be "dreamy" as Craig
put it, the extra attention being paid to security right now could
help to establish this or subsequent documents as a "best practices"
recommendation which could then be enforced - either through
embarrassment as suggested by Pascal, by legal measures for a victim
company to force an attacking company to pay damages because they did
not perform due diligence, or for governments and large organizations
to use in their own requirements (e.g. by not purchasing products if
OS vendors don't configure systems securely out-of-the-box, or if
software vendors don't follow certain secure programming practices).

- Steve



====================
Key Trends Section
====================

Here are some suggested modifications.  We've cross-referenced some of
these points to ease their integration into the paper.

Additions
---------

1) Many times, machines are compromised in the first place because
programmers do not know how to write secure code, or security is
sacrificed in favor of new functionality.

2) New models of interactivity are widely deployed without paying
sufficient attention to security and control.  (E.g. the Melissa virus
and mobile code in general).

3) The volume and variety of information available, from a wide number
of sources, is extremely difficult for a system administrator to deal
with.  In addition, the size and diversity of computer networks makes
keeping up-to-date with security extremely difficult.  "Owner
carelessness" is not the only problem.

4) Often, security is not a corporate priority, which means that it is
under-supported financially.


Modifications
-------------

6th bullet - Many systems are configured to run unnecessary services
by default.  In turn this makes them useful as attack points.  Many
"everyday users" may thus become unwitting participants.



=======================
Immediate Steps Section
=======================


Additional Steps
----------------

Problem 4 (Unprotected computers):

1) Disable all unnecessary services on your systems.  While it's not a
panacea, a large number of systems have vulnerabilities in services
that aren't even necessary.

2) Each enterprise should create their own "top 20 list" of the most
important vulnerabilities that MUST be fixed by the enterprise.  (This
is more of a grassroots approach than creating a top 20 list based on
community consensus, which could be difficult to define for all/most
networks.)

Modifications
-------------

Problem 4 (Unprotected computers):

3rd bullet - All software vendors should (a) establish clear,
easy-to-use methods of distributing all security-related patches, and
(b) provide a distinct public acknowledgement when a problem arises.
This is currently the case with most major OS vendors (at least for
most significant problems) although it does not necessarily scale
well, but it is a problem with third party and minor vendors.


=========================
Long Term Efforts Section
=========================

Additions
---------

1) Encourage the widespread use of strong authentication.  Encryption
is mentioned in the proposal, but not authentication.

2) Programmers are strongly recommended to use or build tools that
help them to detect and avoid vulnerabilities during the software
development cycle.

3) Fund research into security assessment tools which are as easy to
use and deploy as anti-virus checkers (this is a long-term approach to
producing "system-hardening scripts" as described in the immediate
steps section).


Modifications
-------------

1st bullet (IP v6) - If you want to keep this paper strictly related
to DDoS (instead of including how to secure zombie/slave systems in
general), then consider removing or reprioritizing this bullet, which
doesn't curb spoofing or DDoS attacks.


Some of these ideas are the result of email exchanges with various
Board members.  All Board members, please feel free to add your
comments.

- Steve

Page Last Updated or Reviewed: May 22, 2007