Net security from one of the fathers of the biz

What do you think about reactive firewalls, also knows as IPS (Intrusion Prevention Systems)?

Bill Cheswick: Reactive security is an idea that keeps popping up. It seems logical. Why not send out a virus to cure a virus, for example? How about having an attacked host somehow stifle the attacker, or tell a firewall to block the noxious packets?

These are very tricky things to do, and the danger is always that an attacker can make you DOS yourself or someone else. As an attacker, I can make you shut down connections by making them appear to misbehave. This is often easier than launching the original attack that the reactive system was designed to suppress (by the way, this happens a lot in biological immune systems as well. There are a number of diseases that trigger dangerous or fatal immune system responses).

So I am skeptical about these systems. They may work out, but I want to keep an eye on the actual user experiences with these.

What is the state of research in network security? What attract funds? What is considered a promising technology?

Bill Cheswick: A lot of the easy stuff has been done, and even beaten to death commercially. I have been intrigued by new work in a few areas.

• There is a lot of activity on virtual machines of various sorts, like VMware and Xen, for example. I think these have a lot of potential, especially with better hardware support. VMs are a nice sandbox for necessary but dangerous client software, like browsers and mail readers. They can be used to improve testing of operating systems, which I would like to see more of.
• Google for "strider honey monkeys". This is a nice paper about a proactive project at Microsoft research to go find browser exploits on evil sites. It has found a number of day-zero and other exploits, which they fed into the developers and legal department. I understand this work has been turned over to production. A nice job.
• I was excited by the SANE paper at Usenix from some crackerjack folk at Stanford. It is a rethinking of intranet design, completely replacing the end-to-end principle with centralised control. This is bad for research and new internet technologies, but it may be exactly what a military network needs, and maybe useful for corporate deployment. There are open questions, but it is quite promising.

I am not that well connected with current funding streams to be able to answer that question well.

How will the internet change with the increasing resources that common people have access to? For example, a blind spoofing attack could become more feasible with broadband access to the internet, and there are some countries where you can easily and cheaply get a 100Mbps connection. Same thing for DDoS via botnets, if each host got a 100Mbps...

Bill Cheswick: This has already happened some time ago. Parts of the Far East have efficient home wiring, and computers there are often used in staging attacks because they have high bandwidth. This has become such a problem that some people just drop all email from China, since it can be a major source of spam connections, and many people don't know anyone there.

Spoofing of attacks continue, but I am told that the spoofing rates are down. For DDoS, why spoof when there are tens of thousands of source addresses?

For almost all users the computer and the network have far more potential than the average user employs almost all of the time. Common computers have cycle times six times greater than the million dollar Cray we had at Bell Labs in the early 90s. The Cray still wins in some performance areas, but in many it does not. What does an average user do with this compute power? Powerpoint and word processing don't need nearly this much power. Some multimedia and many games do use this power.

So miscreants use the computer and the network connections of average users for their own uses, being careful not to bother the owner. That's why viruses these days don't tend to do nasty things like erase hard drives, though they certainly could if they wished.

These compromised machines are very useful for making money, through spam delivery, phishing sites, DDoS extortion attacks, etc. The incentives are strong, and I expect this misuse to continue. I hope the population of susceptible machines will decline as Vista gets deployed and the early kinks get ironed out.

The big change in the internet is going to be greatly increased multimedia delivery. An hour television show at 720p is about 5GB. People are going to want to share these with friends, and providers are grappling with new delivery mechanisms, perhaps permanently replacing broadcast TV.

What is the more promising path to fight DDoS?

Bill Cheswick: I have no definitive answer for this. I can imagine a world of robust, worm-free software. Engineering, experience, and the right economic motives can bring this about. But any public server can be abused by the public. Are the flood of queries to CNN the result of breaking news, or a focused DDoS attack? Even if it is breaking news, I could imagine that the news might be created explicitly to flood the site. How would we know?

I see no theoretical possibility of doing anything more than mitigating attacks, and ultimately throwing large amounts of computing and network capacity at the problem, which is what all the most popular targets do.