Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
DDoS Attack! Is Regulation The Answer?
Newest First  |  Oldest First  |  Threaded View
davepiscitello
davepiscitello,
User Rank: Apprentice
3/3/2014 | 12:28:17 PM
Re: More regulation? Don't think so
Regulation could come in the form of procurement requirements imposed on ISPs; for example, government agencies would not be able to accept bids on services unless the ISP were to provide ingress IP source address filterin (BCP 38). Other countries our the EU, for example, could follow suit.

Quasi-regulation might also be appropriate. ICANN's SSAC has published a report on DDOS (SAC 065) that suggests that BCP 38 requirements be incorporated into ISO 27002 standards. The outcome of such an action would be that any organization that would seek ISO 27K compliance would have to provide antispoofing.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
3/3/2014 | 11:57:29 AM
More regulation? Don't think so
It's hard for me to imagine a hue and cry for more regulation, Dave. Who would do the regulating? 
davepiscitello
davepiscitello,
User Rank: Apprentice
3/1/2014 | 7:44:33 AM
Re: Just fix it!
Agree. John Bambenek makes this exact point in his quote.

There is a world of denial around (a) being the target of an attack and (b) the tangible + intangible cost of getting hit by a DDoS

Ironically, and wrongly, some industry pundits are suggesting that the intangibles are decreasing because so many sites are under attack that "you don't stand out". I think this creates a really attractive denial proposition for folks who hear the cost of DDoS prevention services. Of course, they are still not thinking mitigation but response. 
Somedude8
Somedude8,
User Rank: Apprentice
2/28/2014 | 9:33:08 PM
Re: Just fix it!
Seriously! When looking at the cost of finding your digital shorts around your ankles, an ounce of prevention is absolutely the smart thing! I find it just completely nuts that this is isn't super obvious.

I have a client right now wrestling with a colo/managed hosting facility. They are telling her that her server suffered from a DDOS attack becuase of problems in the code that runs her websites. Think about that one for a second... lol! Yeah, she is moving her stuff to another server with another company as we speak.
davepiscitello
davepiscitello,
User Rank: Apprentice
2/28/2014 | 9:28:55 PM
Re: New Commons
This is certainly an approach that everyone's left off the table. 

Can you point to any economic studies that would be relevant or similar?
davepiscitello
davepiscitello,
User Rank: Apprentice
2/28/2014 | 9:27:03 PM
Re: Just fix it!
Well, it's pretty evident from our current condition that you're right: getting everyone to do something voluntarily is not easy, nor is it working out for us. This is why regulatory intervention is beginning to look inevitable if not appealing. I think John Bambenek's observation that implementing antispoofing measures is actually not nearly as hard or expensive as it seems is important, though. Perhaps if more people debunk the "too hard, too costly" myths we'll see more uptake.
Brian Bartlett
Brian Bartlett,
User Rank: Apprentice
2/28/2014 | 8:43:17 PM
New Commons
It's still the "Tragedy of the Commons" again, and again, and again! If we really want to be proactive I'd suggest the IETF let some economists have a look at the whole of the ecosystem. Surely there has to be more than myself in that overlapping of the fields. (hint: they both deal with constraints) Then use known externality mitigation strategies, which could include regulations, to deal with these. That's how you get ahead of this.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
2/28/2014 | 3:02:24 PM
Re: Just fix it!
I tend to agree with you, @Samedude8, the eyes of most C-levels will glaze over at the first mention of UDP-based services,  ingress filtering and BC-P38.  I suspect they will sit up and take notice given a choice between self-regulation or regulatory intervention. It goes without saying that the repurcussions of a DDoS attack would not be welcome at all! 
Somedude8
Somedude8,
User Rank: Apprentice
2/28/2014 | 2:45:47 PM
Just fix it!
I agree that this would be a great step forward:
"Don't connect to ISP's who don't enforce BCP38 at their customer edge. Don't buy transit from them. Don't peer with them."

However, I find that anytime a potential answer invovles any variation of "If everyone would just...", that answer is just not going to happen. Besides, I think anyone C-Level got lost at "BC uh whatever that thing was. Just fix it, that is what we pay you for!"

Good article though!


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Black Hat USA 2022 Attendee Report
Black Hat attendees are not sleeping well. Between concerns about attacks against cloud services, ransomware, and the growing risks to the global supply chain, these security pros have a lot to be worried about. Read our 2022 report to hear what they're concerned about now.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-35942
PUBLISHED: 2022-08-12
Improper input validation on the `contains` LoopBack filter may allow for arbitrary SQL injection. When the extended filter property `contains` is permitted to be interpreted by the Postgres connector, it is possible to inject arbitrary SQL which may affect the confidentiality and integrity of data ...
CVE-2022-35949
PUBLISHED: 2022-08-12
undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js con...
CVE-2022-35953
PUBLISHED: 2022-08-12
BookWyrm is a social network for tracking your reading, talking about books, writing reviews, and discovering what to read next. Some links in BookWyrm may be vulnerable to tabnabbing, a form of phishing that gives attackers an opportunity to redirect a user to a malicious site. The issue was patche...
CVE-2022-35956
PUBLISHED: 2022-08-12
This Rails gem adds two methods to the ActiveRecord::Base class that allow you to update many records on a single database hit, using a case sql statement for it. Before version 0.1.3 `update_by_case` gem used custom sql strings, and it was not sanitized, making it vulnerable to sql injection. Upgra...
CVE-2022-35943
PUBLISHED: 2022-08-12
Shield is an authentication and authorization framework for CodeIgniter 4. This vulnerability may allow [SameSite Attackers](https://canitakeyoursubdomain.name/) to bypass the [CodeIgniter4 CSRF protection](https://codeigniter4.github.io/userguide/libraries/security.html) mechanism with CodeIgniter ...