BSDI announcement about defense against syn-flooding attacks

Rob Liebschutz writes:
> It scares me to think how much effort has gone into defense against
> this one denial of service attack when there are endless possibilities
> for other ones.

Really? I don't think enough effort has been expended... which is why I'm
expending more.

This was intended to be a comparison of how much effort has already
been expended with how much more is really needed. I strongly agree
that more effort needs to be expended here. Both at the lab/research
level and at getting the technology on every box on the Internet (and
you've contributed significantly in both of those areas). Good
security requires an enormous amount of ongoing effort. It's not like
you secure your network and it's done.

At least one good things that's happened in the last few years is that
many vendors have started paying much more attention to security in
their products. This really helps in the distribution effort.

I've done alot of consulting in the past, and I've found at many sites
that the cost of security was very hard to sell. For startup ISP's
network security almost never had a line in the budget. They'd
usually tell me they can't afford it. I'd tell them they can't afford
to be without it. Of course alot of starup ISP's had never thought
about hiring a networking person either! You just go down to the
local discount computer store and buy a bunch of 10baseT hubs to plug
all your computers into. One big network :-).

Talk about startup ISP's (a little off topic here), I had one
"WANNA-BE" ISP come to me with a T1 already installed to PBI (no
CSU/DSU or router, no hubs, 1 windows 3.11 box) and they wanted me to
"bring them up as an ISP". I quoted them a price, but they told me
that they only had $3000 to spend. They didn't know what services
they wanted to provide either. Then there were two others that came
to me that had been sold NAP connections. One guy was sitting their
with a single Win95 box plugged into his Cisco 75xx with a DS3 NAP
connection, "Well, how do I get this thing configured?". Now he can
browse the WEB on his Win 95 box at DS3 speeds:-).

Th point is not that we have to defeat the SYN attacks. We all know by now
that the severity of that problem is, at least for modern OSes, reduced
to a tolerable level (or will be soon). But these SYN attacks are just
the precursor to other even more dangerous attacks that all share one
characteristic: forged source addresses. If we can use this event to
raise consciousness about the forged-source issue, everyone wins big. And
if we don't... well, film at 11, as we say.