[clug] Secure your Internet facing stuff (was Re: googlebot doing funny things in logs)

Fri Jun 17 18:25:47 MDT 2011

On 18/06/11 09:14, Craig Small wrote:
> On Fri, Jun 17, 2011 at 06:21:34PM +1000, Sam Couter wrote:
>> Jason<j.lee.nielsen at gmail.com>  wrote:
>>> Banking and stock markets are vulnerable I can see that because they need interaction with humans all over the world but really why is anything to do with water or electricity supply on the internet?
>> I imagine for the same reason anything else is hooked up to the
>> internet: Easy and convenient remote access. Some water and electricity
>> infrastructure is remote enough and in tough enough terrain that it's
>> difficult (expensive) to physically get to on a regular basis.
>
> I would argue that in the case of an essential service that the people
> responsible are not doing their job properly.  Almost anywhere you can
> get internet, you can get a non-internet private IP service.  It may run
> over the same wires, but it is (to some extent) isolated.
>
> There would be some places for unsual reasons this doesn't apply, but
> they would be extremely rare.  We're now talking about a place where you
> can get internet, but not get a private network. It's probably more likely
> they person involved didn't think of all the threats through or they were
> overruled by the bean-counters.
>
> Whenever I see this threat being mentioned on the tellie it always
> frustrates me. I read it as shoddy network engineering. Getting a little
> back on track, the equipment still should be secured because you've only
> removed one attack vector out of many.
>
>   - Craig

A bit like a hypothetic electricity authority securing all their
switchrooms with brand-X padlocks, then discovering that the bad-guys
can use paperclips to pick brand-X padlocks. Solution: shutdown anyone
who manufactures paperclips and ban their private ownership, because
they have just become "weapons" (my example is slightly hyperbolic).

Or some genius decides to use WiFi to control their 100T crane remotely.
Then discovers that bad guys can use a bunch of laptops and PDAs etc. to
DDoS their crane - solution: ban all laptops and PDAs etc. because they
have just become "weapons" lying around for the bad guys to point at
innocent crane operators. (slightly less hyperbolic example).

Or what about banning pushbikes from the road, because, you know, some
people transport highly flammable and toxic materials on the road and
the bad guys _could_ use a flock of pushbikes to cause a traffic delay
that _could_ cause the highly toxic materials to burst into flames. I
wouldn't want to be the one living next to the road when that happened..

Private cars can be used in ram-raids...

The list goes on and on...

The guys who operate the big sites being targetted by DDoS attacks need
to work out how to harden their infrastructure against such attacks.
There are a variety of (costly) technical mechanisms that can help.

I would like to see some stats, but the big problems being reported in
this thread are not caused by Internet-facing web servers at home.

Lets face it, DDoS attacks are pre-dominantly caused by people running
Windows on their home PCs. If you want to make the Internet "safer",
banning Windows machines from the Internet is going to get you a lot
closer to the utopia you desire than dissuading people with a certain
desire to DIY (most on this list) from running their own Internet-
facing web servers at home. Those who stand to gain are those who
run, or work for, commercial web-hosting services (and I know that
there are a number of those people, possibly with a slightly different
agenda, on this list).

Cheers,

Bob Edwards.