OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

 


 

   RE: [xml-dev] Re: Can A Web Site Be Reliably Defended Against DoS Attack

[ Lists Home | Date Index | Thread Index ]

They knew that what you are suggesting wasn't done.  That 
is the problem of 80/20; not that it can't be done, but 
that it won't be done until the problem is big.  It 
is the Titanic thing:  it wasn't how many but who died 
that forced changes. 

Again, I'm not talking about the problem of someone not getting 
their Amazon page up, but of a server used for communicating 
in real time to low-latency response assets.  It is the 
mission and the risk not being considered in the customer 
pull vs technology push thought.  Your example is 
precisely illunminating:  let's choose speed and 
ubiquity over safety and reliability. The GE engineers did 
the right thing: don't outdrive your headlights.

"And we know for certain that some lovely day, 
someone will set the spark off, and we will all be blown away."
- also Tom Lehrer

I don't care if the OSI stack was better or worse.  Spilt milk.

1.  Instead of wiping out mouths from Microsoft venom, let's 
acknowledge the root problem:  as currently implemented, there 
is no credible defense for DDoS.

2.  Let's talk about fixing that so we don't have to rely 
on social behavior to patch incomplete designs.

3.  Let's make sure the press and the customer know the 
risks.

len


From: Rich Salz [mailto:rsalz@datapower.com]

>There were people who said the ISO networking stack was
>much better than TCP/IP

I asked Marshall Rose about this.  He is one of the best "protocol 
wonks" in the world.  As one of his accomplishments, he did a very 
comprehensive open source implementation of the ISO protocols known as 
ISODE; here's one of the release announcements (note the date of the 
announcement) 
http://www-mice.cs.ucl.ac.uk/multimedia/misc/tcp_ip/8808.mm.www/0096.html

I asked him about denial of service attacks and he said "clnp/tp4 
doesn't contain any security advances over ip/tcp."  He then added
"in one sense, an OSI-based Internet would be more secure against DDoS:
there would certainly be fewer servers, desktops, and routers, and they
would be running much, much slower..."

BTW, the Internet's end-to-end principal makes it architecturally 
possible to have mutually authenticated communicating endpoints. Search 
for "RSVP IETF" and you can see that years ago real time delivery 
guarantees and QoS was possible, too.  If TCP/IP is 80/20, then it's at 
least an 80/20 unlike most others in that: *its architecture allows the 
last 20% to be done.*  VoIP might be a driver for real QoS.

I don't know what GE engineers you spoke with, but it appears to me that 
they were showing off and deriding something they didn't fully understand.

"Once the rockets go up
who cares where they come down?
That's not my department,"
says Werner von Braun.
    --Tom Lehrer




 

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS