|
 |
Le 2011-09-16 04:28, Invisible a écrit :
>>> Sometimes I think it would be nice if there was a widely-supported
>>> standard for configuring the firewall at the /other end/ of the last
>>> mile to drop certain packets. But anyway...
>>
>> A DDoS needs to be extremely big for an ISP to notice one of its
>> customers is under attack. And you need a special business relationship
>> to be able to call them up and ask that they block a certain type of
>> traffic at the head end.
>
> Quite. I did actually hear about a guy having to spend ages on the phone
> to their ISP to ask for firewall configuration changes.
>
> Now imagine if there were a standard, widely-implemented system for
> letting the customer make those configuration changes themselves...
> Let's face it, the ISP's routers are almost certainly remote-manageable
> anyway. If the unwanted packets can be blocked at the entrance to the
> ISP's network, they can save themselves the bother of having to route a
> bunch of traffic. (Although the amount of data you can fire at one
> customer is probably peanuts compared to the ISP network capacity.)
>
> Ah well, dream on...
Then it would take 2.5 nanoseconds for a hacker to steal your
credentials and make those changes for you. BLAM! total denial of service.
Some IDS/IPS vendors have programmed routines in their systems that can
automatically change firewall rules in the event that they detect an
attack, yet the majority of installations leave this feature turned off
because people are afraid of false alerts blocking valid traffic, and
having HAL in control of the pod bay doors.
I'm sure ISPs feel the same way about having their customers be able to
play with their firewall configs.
--
/*Francois Labreque*/#local a=x+y;#local b=x+a;#local c=a+b;#macro P(F//
/* flabreque */L)polygon{5,F,F+z,L+z,L,F pigment{rgb 9}}#end union
/* @ */{P(0,a)P(a,b)P(b,c)P(2*a,2*b)P(2*b,b+c)P(b+c,<2,3>)
/* gmail.com */}camera{orthographic location<6,1.25,-6>look_at a }
Post a reply to this message
|
|
