> 3) Find and convict the true attacker
Hash-based trace might help on that, *if* there was recording of the
packets to the zombies. But doing that ubiquitously might -- would? --
turn the Internet into a surveillance state.
Yep, the hard question isn't if we can, but if we should. We have the
advantage of Casino Network Traffic Analysis, the longer you play the odds
favor the house. Tracking a single packet is difficult. But when the
player keeps returning, eventually you can find them.
Traffic analysis doesn't require looking at every packet, or even beyond
the packet header. Starting with the 750 zombies and slowly working
backwards is time consuming and expensive. On the other hand, putting a
few thousand taps in the network is getting easier all the time. Vendors
are including more Network Intrusion Detection features in their
products. Most of the DDOS products on the market today include some type
of traffic flow monitoring. With the right incentives, I'm sure the
vendors can improve their products.
But then we get to the unintended consequences. Once you collect the
traffic data, who else will want to use it for other things. I'm not
just talking about the government, but also divorce lawyers wanting
dirt on spouses, companies track and silence critics, or even hackers
getting the records.
> 2) Track and stop DDOS quickly when it does happen
That's the point of pushback.
Triggered black holes, pushback, etc will help. But reactive measures
aren't a complete answer.
>So how do we
> 1) Make end-user systems less vulnerable to being compromised
That's my real goal...
What incentive does the end-user have to use secure systems? Should
Microsoft, Sun, Sendmail Inc or ISC be required to send a technician out
to fix every defective system they released? Why should the ISP be held
accountable for the defects created by others? Car makers have to fix
defective cars, not the highway department.