OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

 


 

   Re: [xml-dev] Re: Can A Web Site Be Reliably Defended Against DoS Attack

[ Lists Home | Date Index | Thread Index ]

Just a short note here...

On Fri, Feb 06, 2004 at 09:33:55AM -0600, Bullard, Claude L (Len) wrote:
> From: Liam Quin [mailto:liam@w3.org]
> >When you get to the point where a 14-year-old kid sitting at
> >home can quietly infect tens of thousansd of Windows XP systems
> >remotely, 
> 
> It is doable with Linux and Unix.  XP systems offer the 
> juicy target for master/zombie attacks because they dominate 
> the desktops.  This isn't about the virus; it is about the 
> systemic vulnerability to DDoS.

I was overly terse, sorry.  The point of XP is that the default
home install lets you skip setting an Administrator password,
without a good warning it seems, and enables file sharing.

There _are_ Linux systems (e.g. Knoppix) that don't set a root
password by default, but they are rare, and all the ones I've
seen they're booting from CD, so there's limited possibility of
installing trojans.

I'm not sniping at Microsoft here, but mentioning XP because
in fact they are the most commonly infected systems today,
even though Win98 may in fact still be about as widespread on
home desktops.

> >and then use them all at once to send multiple gigabtes
> >per second of network data at a single target, it's hard to see
> >how any infrastructure could have coped.  
> 
> That is the point and thanks.  As long as the Internet design 
> is that flaky, it is risky to tie the cetain systems 
> together with it.   The WWW and the 
> press have to acknowledge this and to heck with the hindmost.

We should work to make it more robust.  But "mission critical"
means something different to someone designing a nuclear bomb or
a space rocket to bury WMDs on Mars :-) than it does to someone
selling argyle socks.

> >Or disconnect the user and send a bill.  That would get
> >people setting Administrator passwords on their XP systems,
> >and turning off file sharing, and being careful before
> >clicking on attachments!
> 
> I agree with part of that, but once again, you indulge 
> the witless part of the agenda:  let's clobber Microsoft.
> Let's distract the discussion by invoking the devil.

No, I am not calling Microsoft the devil, Len - nor, I hope,
am I being devoid of intelligence here ;-)

> XP systems are vulnerable but so are Linux 
> systems.  So are Unix systems.  So are Solaris systems. 

Not in the same way.  They have vulnerabilities, but very
few Linux or Solaris systems have an empty root password,
and I've yet to encounter a Unix (or linux) distribution
that enabled writeable file sharing by default.  There are
other architectural differences but I don't need to go into
them here.  It's not about the vendor... I happen not to
like some of Microsoft's (past) business practices,
I happen not to like some of SCO's (current) business
practices, but this is technical, not political.

It's a new class of vulnerability: the easy ability to
install remote malicious software on massive numbers of
computers sitting outside firewalls.

If the dominant OS were MacOS or Solaris, we'd need to push
on Apple or Sun to be very responsive with such problems.


> >The ISPs could go further and reject forged email.  Then
> >the current wave of email viruses and spam (and viruses
> >that are used for spammers to send email) would go away.
> 
> But they have to look first and again, Gibson says such 
> forgeries aren't always detectable.  Should we get rid 
> of anonymous accounts?  XP could remove the raw sockets.

The raw socket access was added as part of the antitrust
settlement.  Forgeries *are* detectable at the ISP,
because the ISP knows what IP their customer has at
the end of that cable or ADSL or dialup conenction,
and hence an incoming packet saying it's from some IP
not at the other end of that "leaf" connection is bogus
and should be dropped.  In the same way, mail claiming
to be sent from some other ISP is clearly forged.

This doesn't affect people using HTML mail services such
as hotmail, but only outgoing SMTP connections, which
some ISPs already disallow, thankfully.

> The W3C priorities should reflect the immediate realities 
> and needs.  What is the mandate of the consortium?

"To lead the Web to its full potential"...

Note, however, that TCP/IP and email are not within the mandate
of the W3C - they are IETF specs.  Go beat up on the IETF :-)

Joking aside, I've been wondering for a while if this is an
area where W3C could write up vendor-neutral white papers that
may help legislators around the world.  But we don't have a
lot of resources to do such work, unfortunately.

best,

Liam

-- 
Liam Quin, W3C XML Activity Lead, http://www.w3.org/People/Quin/
http://www.holoweb.net/~liam/




 

News | XML in Industry | Calendar | XML Registry
Marketplace | Resources | MyXML.org | Sponsors | Privacy Statement

Copyright 2001 XML.org. This site is hosted by OASIS