OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help



   Re: [xml-dev] Re: Can A Web Site Be Reliably Defended Against DoS Attack

[ Lists Home | Date Index | Thread Index ]

On Thu, Feb 05, 2004 at 01:38:37PM -0600, Bullard, Claude L (Len) wrote:
> If we want a better future, we have to invent it and 
> the pay for that has to keep us fed.  TimBL showed 
> the generals how to get something for nothing by taking 
> old missiles and putting monkeys in them.  Unfortunately 
> launching monkeys at the moon or any other target 
> thrills the monkeys but doesn't always get them there 
> with a whole skin.

I think your analogies are getting a little strained here :)

If we'd waited for a 100% reliable Web, with pre-fetching,
distributed cache integrity, and all the other needs that
could reasonably have been foreseen in the late 1980s,
we'd maybe still be waiting - but the Web has come a long
since 1989, and we wouldn't have that experience.

There were people who said the ISO networking stack was
much better than TCP/IP - it was certainly more sophisticated,
and the size (and cost) of the specs helped to keep small
firms excluded nicely and equipment costs high.  Whether
that was intended I have no idea.  But the ISO WGs didn't
forsee modern DDoS attacks either, and neither did anyone else.

When you get to the point where a 14-year-old kid sitting at
home can quietly infect tens of thousansd of Windows XP systems
remotely, and then use them all at once to send multiple gigabtes
per second of network data at a single target, it's hard to see
how any infrastructure could have coped.  Since you seem to
like military or space-rocket analogies, it's like firing up
your space shuttle to Mars only to find the intervening space
has suddenly filled with millions of explosive mines so densely
that no shuttle could hope to get past... and then blaming the
rocket engineers for such a stupid design that didn't predict
the change ;-)

The online world isn't bound directly by physics - changes
far more dramatic can and do happen.  In fact, DDoS attacks
by untrusted hosts were predicted in the early 1980s, when a
Sun workstation cost under US$10,000 and could be conencted
to a Univeristy network via a Vampire clamp, and then could
send forged packets onto the net... something previously
very difficult.  A couple of years later, PCs with ethernet
cards were diong the same... and now PCs with broadband.

In this case it turns out that the ISPs have the power to
limit most of the damage -- they can detect forged packets
when a client sends them over the cable modem, and drop them.

Or disconnect the user and send a bill.  That would get
people setting Administrator passwords on their XP systems,
and turning off file sharing, and being careful before
clicking on attachments!

The ISPs could go further and reject forged email.  Then
the current wave of email viruses and spam (and viruses
that are used for spammers to send email) would go away.

But as others have said, a new wave would arise.

You mention DARPA funding of Web research -- it's true
(I think) that there's DARPA funding for Semantic Web
research, and no doubt for other work trying to move the
Web forward.  But don't confuse the Web with the Internet -
the rocket with the rocket fuel? - the Web could be 
thought of as the set of things that are nameable by a
URI.  The Internet is a set of networks reachable by IP.

You could have a World Wide Web with a different
infrastructure - e.g. over JANET with X.25 and friends.

At any rate, you can look back and said, "with all we
know today, the Web should have been designed differently"
but I don't think such reasoning is productive.  Better
to say "with what we know now, the following areas will
need improvements".  And that's research that's being
done today, of course.


Liam Quin, W3C XML Activity Lead, http://www.w3.org/People/Quin/


News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS