Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
DDoS Attack! Is Regulation The Answer?
Newest First  |  Oldest First  |  Threaded View
davepiscitello
50%
50%
davepiscitello,
User Rank: Apprentice
3/3/2014 | 12:28:17 PM
Re: More regulation? Don't think so
Regulation could come in the form of procurement requirements imposed on ISPs; for example, government agencies would not be able to accept bids on services unless the ISP were to provide ingress IP source address filterin (BCP 38). Other countries our the EU, for example, could follow suit.

Quasi-regulation might also be appropriate. ICANN's SSAC has published a report on DDOS (SAC 065) that suggests that BCP 38 requirements be incorporated into ISO 27002 standards. The outcome of such an action would be that any organization that would seek ISO 27K compliance would have to provide antispoofing.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
3/3/2014 | 11:57:29 AM
More regulation? Don't think so
It's hard for me to imagine a hue and cry for more regulation, Dave. Who would do the regulating? 
davepiscitello
50%
50%
davepiscitello,
User Rank: Apprentice
3/1/2014 | 7:44:33 AM
Re: Just fix it!
Agree. John Bambenek makes this exact point in his quote.

There is a world of denial around (a) being the target of an attack and (b) the tangible + intangible cost of getting hit by a DDoS

Ironically, and wrongly, some industry pundits are suggesting that the intangibles are decreasing because so many sites are under attack that "you don't stand out". I think this creates a really attractive denial proposition for folks who hear the cost of DDoS prevention services. Of course, they are still not thinking mitigation but response. 
Somedude8
50%
50%
Somedude8,
User Rank: Apprentice
2/28/2014 | 9:33:08 PM
Re: Just fix it!
Seriously! When looking at the cost of finding your digital shorts around your ankles, an ounce of prevention is absolutely the smart thing! I find it just completely nuts that this is isn't super obvious.

I have a client right now wrestling with a colo/managed hosting facility. They are telling her that her server suffered from a DDOS attack becuase of problems in the code that runs her websites. Think about that one for a second... lol! Yeah, she is moving her stuff to another server with another company as we speak.
davepiscitello
50%
50%
davepiscitello,
User Rank: Apprentice
2/28/2014 | 9:28:55 PM
Re: New Commons
This is certainly an approach that everyone's left off the table. 

Can you point to any economic studies that would be relevant or similar?
davepiscitello
50%
50%
davepiscitello,
User Rank: Apprentice
2/28/2014 | 9:27:03 PM
Re: Just fix it!
Well, it's pretty evident from our current condition that you're right: getting everyone to do something voluntarily is not easy, nor is it working out for us. This is why regulatory intervention is beginning to look inevitable if not appealing. I think John Bambenek's observation that implementing antispoofing measures is actually not nearly as hard or expensive as it seems is important, though. Perhaps if more people debunk the "too hard, too costly" myths we'll see more uptake.
Brian Bartlett
50%
50%
Brian Bartlett,
User Rank: Apprentice
2/28/2014 | 8:43:17 PM
New Commons
It's still the "Tragedy of the Commons" again, and again, and again! If we really want to be proactive I'd suggest the IETF let some economists have a look at the whole of the ecosystem. Surely there has to be more than myself in that overlapping of the fields. (hint: they both deal with constraints) Then use known externality mitigation strategies, which could include regulations, to deal with these. That's how you get ahead of this.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/28/2014 | 3:02:24 PM
Re: Just fix it!
I tend to agree with you, @Samedude8, the eyes of most C-levels will glaze over at the first mention of UDP-based services,  ingress filtering and BC-P38.  I suspect they will sit up and take notice given a choice between self-regulation or regulatory intervention. It goes without saying that the repurcussions of a DDoS attack would not be welcome at all! 
Somedude8
50%
50%
Somedude8,
User Rank: Apprentice
2/28/2014 | 2:45:47 PM
Just fix it!
I agree that this would be a great step forward:
"Don't connect to ISP's who don't enforce BCP38 at their customer edge. Don't buy transit from them. Don't peer with them."

However, I find that anytime a potential answer invovles any variation of "If everyone would just...", that answer is just not going to happen. Besides, I think anyone C-Level got lost at "BC uh whatever that thing was. Just fix it, that is what we pay you for!"

Good article though!


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-22392
PUBLISHED: 2021-08-02
There is an Incorrect Calculation of Buffer Size in Huawei Smartphone.Successful exploitation of this vulnerability may cause verification bypass and directions to abnormal addresses.
CVE-2021-22396
PUBLISHED: 2021-08-02
There is a privilege escalation vulnerability in some Huawei products. Due to improper privilege management, a local attacker with common privilege may access some specific files in the affected products. Successful exploit will cause privilege escalation.Affected product versions include:eCNS280_TD...
CVE-2021-22397
PUBLISHED: 2021-08-02
There is a privilege escalation vulnerability in Huawei ManageOne 8.0.0. External parameters of some files are lack of verification when they are be called. Attackers can exploit this vulnerability by performing these files to cause privilege escalation attack. This can compromise normal service.
CVE-2021-22398
PUBLISHED: 2021-08-02
There is a logic error vulnerability in several smartphones. The software does not properly restrict certain operation when the Digital Balance function is on. Successful exploit could allow the attacker to bypass the Digital Balance limit after a series of operations. Affected product versions incl...
CVE-2021-22412
PUBLISHED: 2021-08-02
There is an Integer Overflow Vulnerability in Huawei Smartphone.Successful exploitation of this vulnerability may cause random kernel address access.