The phrase "seriously bad idea" comes to mind. Other phrases include
"illegal", "collateral damage", and "stupid".
--Steve Bellovin, http://www.research.att.com/~smb
I actually thought that this was some kind of April Fools day joke a few weeks early.
Anyone who buys this should be shot on principle....Wait...First I have a bridge to sell them.
Any publicity is good publicity.
They haven't actually explained or shown what their product does. Just a
bunch of puffery to get the press to write about them.
In the 1990's another company announced their new security product:
"Sidewinder: The firewall that strikes back!" at the National Computer
Security Conference in Baltimore. Sidewinder used lots of information
warfare quotes from Winn Schwartau and ex-military types staffing their
sales suite.
I wouldn't be surprised when they finally reveal their product it is a lot
less than the hype. Right now its a bit like a movie the movie studio
won't give the critics an advanced screening, but has a big advertising
budget. Usually that is a sign of a stinker.
I remember the sidewinder. They had a huge marketing campaign aimed at convincing the customer that their firewalls were inpenetrable. Their firewalls didn't sell all that well, and those that did sell, proved to be a colossal failure. I still have a deck of 'sidewinder' playing cards from COMDEX. (Sorry for being off topic, just thought that was funny and brought back some nostalgia)
Greg
Sean Donelan wrote:
After reading that article, if this product really is capable of 'counter striking DDoS attacks', my assumption is that it will fire packets back at the nodes attacking it. Doing such an attack would not be neither feasible or legal. You would only double the affect that the initial attack caused to begin with, plus you would be attacking hacked machines and not the culprit themselves, thus pouring gasoline all over an already blazing inferno.
This product is a bad bad idea and anyone who invests money into it should slap themselves very hard with a metal gauntlet for being so gullible.
Greg
On the other hand, they could become immensely popular, reaching the
critical mass when one of them detects what is interpreted as an attack
from a network protected by another. Grab the popcorn and watch as they
all bludgeon each other to death. 
Oh yes, lets not forget the fact that if enough sites have this 'firewall' and one of them gets attacked by other sites using this firewall it'll create a nuclear fission sized chain reaction of looping Denial of Service Attacks that would probably bring most major backbone providers to their knees.
(Popcorn's in the microwave as I speak)
Greg
Jay Hennigan wrote:
Sounds like efnet channel wars on a much more interesting scale.
Like I've said in previous posts - do we really want these people having tools
like this? Doesn't this make them the equivelant of 'script kiddies'?
How the hell could a company put something like this out, and expect not to
get themselves sued to the moon and back when it fires a shot at an innocent
party?
I hit send way to fast, heh.
Whats going to happen when they find a nice little exploit in these buggers
(even if they have anti-spoof stuff in them) that allows the kids to take
control of them or trick them into attacking innocents? Instead of thousands
of DDoS drones on DSL and cable modems, you'll see kids with hundreds of these
'nuclear stike firewalls' on T1s, T3s, and higher, using them like they use
the current trojans?
No product is 100% secure (especially not something that runs under Windows,
but thats another issue), so how are they going to deliver updates? Or make
sure that the thing is configured right? I could see blacklists (BGP based)
cropping up of these systems, so that you can filter these networks from ever
being able to come near your network.
This is starting to sound more and more like a nuclear arms race - on one side
we have company a, on the other company b. Company A fears that B will attack
it, so they get this super dooper nuclear strike system. Company B follows
suit and sets one up as well. Both then increase their bandwidth, outdoing
the other until finally, script kiddie comes along, and spoofs a packet from A
to B, and B attacks A, and A responds with its own attack. ISPs hosting the
companies fall flat on their face from the attack, the backbone between the
two ISPs gets lagged to death, and stuff starts griding to a halt for others
caught in the crossfire.
So, and who thinks that this is a good idea?
My mom likes the idea, she thinks it'll help her get her hotmail faster. (shrugs)
Brian Bruns wrote:
Plus imagine an attack originates behind one of these devices for some reason attacking another device. It'll just create a massive loop. That would be interesting.
Vinny Abello
Network Engineer
Server Management
vinny@tellurian.com
(973)300-9211 x 125
(973)940-6125 (Direct)
PGP Key Fingerprint: 3BC5 9A48 FC78 03D3 82E0 E935 5325 FBCB 0100 977A
Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com (888)TELLURIAN
There are 10 kinds of people in the world. Those who understand binary and those that don't.
Gregory Taylor wrote:
Oh yes, lets not forget the fact that if enough sites have this 'firewall' and one of them gets attacked by other sites using this firewall it'll create a nuclear fission sized chain reaction of looping Denial of Service Attacks that would probably bring most major backbone providers to their knees.
Fortunately people with less clue usually have less bandwidth. Obviously there are exceptions. I would expect to see localized tragedies if something like this would get deployed but predicting death of the internet is clueless.
Pete
Those plus "escalation of agression" and "uncontrollable feedback loop".
Daniel Karrenberg
PS: I will spare you the re-run of a recent discussion I had with some
5-year-olds, but there *is* a certain similarity.
What's the going rate per megabyte for transit traffic?
Don't be so sure that people with no clue don't have bandwidth, large
companies with enourmouse resources sometimes end up with really clueless
people at the top and similarly clueless network techs.
But reality is it does not matter. Even five years ago, DoS attacks were
already usually distributed coming mostly from comprimised servers. Now
thanks to Microsoft's constantly buggy software and large deployment of
broadband, its so easy for script-kiddies and alike to get hold of computers
to be used for such purposes (but at least our unix servers don't get
hacked as much...).
And I really hate this kind of script-kiddie attitude that if you stike me,
I'll strike you back even harder - revenge by the same means is not the
answer (and in many cases its not the revenge but they just want to show
themselve off as being more daring then the last guy). But then again since
in US most people support death penalty and the government itself did not
care how many innocent afghans died when they were doing their own revenge,
then what are we expecting from the company execs - they might well buy this
crap strike-back with a vengence firewall. I do hope, that if it were
to happen, it'll quickly become clear that this is totally illegal and
both Simbiot and those who bought it will end up in court and bankrupt
and that will establish good precidence for the future.
But as I mentioned in thread last week and as Sean Donelan mentioned
today too - all this looks a like like a publicity hype in the making
for a probably crappy product (but not crappy in the way that it'll
actually force its users to break the law). We have about 20 days to
wait before its released, so lets just wait and see how bad it really is.
> Fortunately people with less clue usually have less bandwidth.
Don't be so sure that people with no clue don't have bandwidth, large
companies with enourmouse resources sometimes end up with really clueless
people at the top and similarly clueless network techs.
Most Universities have a large clueless.. um, I mean, student population
sitting on 10 or 100 meg switched ports and several hundred meg's to the
Internet....
Eric 
Eric Gauthier wrote:
Most Universities have a large clueless.. um, I mean, student population
sitting on 10 or 100 meg switched ports and several hundred meg's to the Internet....
You mis-spelled "faculty, researcher, and staff populations".
Today's students (as well as non-trivial portions of the the
other populations) tend to be purpose and objective focused,
with what the folks on the 19th tee being somewhat less important.
Mmm. A firewall that lands you immediately in hot water with your
ISP and possibly in a courtroom, yourself. Hot.
Legality aside...
I don't imagine it would be too hard to filter these retaliatory
packets, either. I expect that this would be more wad-blowing
than cataclysm after the initial throes, made all the more ridiculous
by the nefarious realizing the new attack mechanism created by these
absurd boxen. A new point of failure and an amplifier rolled all
into one! Joy!
More buffoonery contributed to the miasma. Nice waste of time,
Symbiot. Thanks for the pollution, and shame on the dubious ZDnet
for perpetuating this garbage.
ymmv,
--ra
Two words (well...one hyphenated-reference):
spoofed-source
bah,
--ra
Yes, lets allow the kiddies who already get away with as little work as they can in order to produce the most destruction they can, the ability to use these 'Security Systems' as a new tool for DoS attacks against their enemies.
Scenerio:
Lets say my name is: l33th4x0r
I want to attack joeblow.cable.com because joeblow666 was upset that I called his mother various inappropriate names.
I find IP for joeblow.cable.com to be 192.168.69.69
I find one of these 'security' systems, or multiple security systems, and i decide to forge a TCP attack from 192.168.69.69 to these 'security systems'.
These 'security systems' then, thinking joeblow is attacking their network, will launch a retaliatory attack against the offender, 192.168.69.69 thus destroying his connectivity.
Kiddie 1 Joeblow 0 The Internet as a whole 0
Greg
Rachael Treu wrote: