Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management
Comments
DDoS Attack! Is Regulation The Answer?
Oldest First  |  Newest First  |  Threaded View
Somedude8
Somedude8,
 User Rank: Apprentice
2/28/2014 | 2:45:47 PM
Just fix it!
I agree that this would be a great step forward:
"Don't connect to ISP's who don't enforce BCP38 at their customer edge. Don't buy transit from them. Don't peer with them."

However, I find that anytime a potential answer invovles any variation of "If everyone would just...", that answer is just not going to happen. Besides, I think anyone C-Level got lost at "BC uh whatever that thing was. Just fix it, that is what we pay you for!"

Good article though!
Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
2/28/2014 | 3:02:24 PM
Re: Just fix it!
I tend to agree with you, @Samedude8, the eyes of most C-levels will glaze over at the first mention of UDP-based services,  ingress filtering and BC-P38.  I suspect they will sit up and take notice given a choice between self-regulation or regulatory intervention. It goes without saying that the repurcussions of a DDoS attack would not be welcome at all! 
Brian Bartlett
Brian Bartlett,
 User Rank: Apprentice
2/28/2014 | 8:43:17 PM
New Commons
It's still the "Tragedy of the Commons" again, and again, and again! If we really want to be proactive I'd suggest the IETF let some economists have a look at the whole of the ecosystem. Surely there has to be more than myself in that overlapping of the fields. (hint: they both deal with constraints) Then use known externality mitigation strategies, which could include regulations, to deal with these. That's how you get ahead of this.
davepiscitello
davepiscitello,
 User Rank: Apprentice
2/28/2014 | 9:27:03 PM
Re: Just fix it!
Well, it's pretty evident from our current condition that you're right: getting everyone to do something voluntarily is not easy, nor is it working out for us. This is why regulatory intervention is beginning to look inevitable if not appealing. I think John Bambenek's observation that implementing antispoofing measures is actually not nearly as hard or expensive as it seems is important, though. Perhaps if more people debunk the "too hard, too costly" myths we'll see more uptake.
davepiscitello
davepiscitello,
 User Rank: Apprentice
2/28/2014 | 9:28:55 PM
Re: New Commons
This is certainly an approach that everyone's left off the table. 

Can you point to any economic studies that would be relevant or similar?
Somedude8
Somedude8,
 User Rank: Apprentice
2/28/2014 | 9:33:08 PM
Re: Just fix it!
Seriously! When looking at the cost of finding your digital shorts around your ankles, an ounce of prevention is absolutely the smart thing! I find it just completely nuts that this is isn't super obvious.

I have a client right now wrestling with a colo/managed hosting facility. They are telling her that her server suffered from a DDOS attack becuase of problems in the code that runs her websites. Think about that one for a second... lol! Yeah, she is moving her stuff to another server with another company as we speak.
davepiscitello
davepiscitello,
 User Rank: Apprentice
3/1/2014 | 7:44:33 AM
Re: Just fix it!
Agree. John Bambenek makes this exact point in his quote.

There is a world of denial around (a) being the target of an attack and (b) the tangible + intangible cost of getting hit by a DDoS

Ironically, and wrongly, some industry pundits are suggesting that the intangibles are decreasing because so many sites are under attack that "you don't stand out". I think this creates a really attractive denial proposition for folks who hear the cost of DDoS prevention services. Of course, they are still not thinking mitigation but response. 
Marilyn Cohodas
Marilyn Cohodas,
 User Rank: Strategist
3/3/2014 | 11:57:29 AM
More regulation? Don't think so
It's hard for me to imagine a hue and cry for more regulation, Dave. Who would do the regulating? 
davepiscitello
davepiscitello,
 User Rank: Apprentice
3/3/2014 | 12:28:17 PM
Re: More regulation? Don't think so
Regulation could come in the form of procurement requirements imposed on ISPs; for example, government agencies would not be able to accept bids on services unless the ISP were to provide ingress IP source address filterin (BCP 38). Other countries our the EU, for example, could follow suit.

Quasi-regulation might also be appropriate. ICANN's SSAC has published a report on DDOS (SAC 065) that suggests that BCP 38 requirements be incorporated into ISO 27002 standards. The outcome of such an action would be that any organization that would seek ISO 27K compliance would have to provide antispoofing.


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-33196
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
CVE-2023-33185
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
CVE-2023-33187
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
CVE-2023-33194
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
CVE-2023-2879
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file