OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   Re: [xml-dev] Can A Web Site Be Reliably Defended Against DoS Attacks?

[ Lists Home | Date Index | Thread Index ]

> That seems to say that in no case should one risk 
> any resource of critical value by putting it 
> on the web because eleven men so inclined can 
> always do it harm and this isn't a cost vs 
> benefit issue.

No, security is a risk-management issue.  If a dozen men can take me 
down for a day, and my daily revenue is $10/day, then it's not worth 
spending more than $10 to fix the problem.

> the overwhelming majority of defense in in the 
> social behavior of those outside one's own control, 
> that is, ensuring a system cannot be used to host 
> an attack.

Yup.  Unfortunately, the dominant desktop platform makes it very 
difficult to ensure this.  Esp when you consider how many VCR clocks 
still blink 12:00.  Consider it a case study as to why security and the 
Internet should not just be grafted on to an existing product that had 
no concept of "them," just "us."

> Is that really the case?  I read that Microsoft 
> was able to defend their servers this time 
> although SCO could not.

The virus was pointed at specific IP addresses (doing DNS lookups would 
have been too costly and obvious, I think).  Microsoft didn't defend, 
but they "ducked" by going to a new IP address.  SCO failed to defend 
themselves because they added a new name that pointed to the same IP 
address.  That was stupid and pointless.

Rich Salz, Chief Security Architect
DataPower Technology                           http://www.datapower.com
XS40 XML Security Gateway   http://www.datapower.com/products/xs40.html
XML Security Overview  http://www.datapower.com/xmldev/xmlsecurity.html


News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS