Internet2 Network Security SIG

["Montgomery, Douglas (Fed)" <>]

I think for this community the excerpts from the article below are
interesting.

"There's more. One company told me about a variety of probing attacks in
addition to the DDoS attacks: testing the ability to manipulate Internet
addresses and routes, seeing how long it takes the defenders to respond,
and so on. Someone is extensively testing the core defensive capabilities
of the companies that provide critical Internet services.
…
What can we do about this? Nothing, really.”


The supposition that there is nothing that can be done pro-actively about
some of these issues seems false to me.  The article notes some systemic
vulnerabilities that are being explored.  Take for example the surge of
DDoS reflection attacks (address manipulation).

Understanding where this community stands with respect to technologies
such as source address validation mechanisms (e.g., BCP38/uRPF) would be
interesting.   

Taking steps to avoid a massive attack, rather than waiting to try to
react to it (especially if the scale is larger than current attacks),
would seem like “doing something”.

dougm
— 
Doug Montgomery, Mgr Internet & Scalable Systems Research at  NIST/ITL/ANTD





On 9/17/16, 5:35 PM, 
"
 on behalf of Von
Welch" 
<
 on behalf of 
>
wrote:

>Paul,
>
> To me it's not clear that the adversary not changing tactics is worth
>the trade-off of them being able to use the tactics on other potential
>victims (nor that everyones incentives are aligned). In more conventional
>settings where you aren't worried about the attacks scaling their attacks
>with the ease they can on the Internet, I agree it makes sense. With the
>ease of scaling attacks on the Internet, it's not obvious to me it
>doesn't make sense to make attackers change tactics as often as we can.
>
> But no, I'm not familiar with research or objective evidence either way.
>
>Von
>
>> On Sep 15, 2016, at 9:17 AM, Paul Howell 
>> <>
>>  wrote:
>> 
>> Von, 
>> 
>> I was simply referring to the theory that tipping off an adversary by
>>publicly announcing tactics they are using results in an adversary
>>changing tactics to avoid detection.  I don't know if this is actually
>>true, do you know of any research that disputes this notion?
>> 
>> Regards,
>> Paul
>> 
>> 
>> -----Original Message-----
>> From: 
>> <>
>>  on behalf of Von Welch
>><>
>> Reply-To: 
>> ""
>>  
>> <>
>> Date: Wednesday, September 14, 2016 at 5:26 PM
>> To: 
>> ""
>>  
>> <>
>> Cc: 
>> ""
>>  
>> <>
>> Subject: Re: [Security-WG] FW: Someone Is Learning How to Take Down the
>>Internet
>> 
>> Paul,
>> 
>>> I wish that the threat indicators were included in this story, but
>>>understand why they are not public.
>> 
>> Jumping on a philosophical soapbox for a second, I don't understand why
>>and would enjoy understanding your perspective. I worry that these
>>secrecy practices are holding us back in cybersecurity.
>> 
>> Best,
>> 
>> Von
>> 
>>> On Sep 14, 2016, at 8:43 AM, Paul Howell 
>>> <>
>>>  wrote:
>>> 
>>> Hi Everyone,
>>> 
>>> I wish that the threat indicators were included in this story, but
>>>understand why they are not public.    Certainly if we see anything
>>>threatening, we'll be happy to share with all of you.  Hopefully others
>>>will do the same.
>>> 
>>> https://www.lawfareblog.com/someone-learning-how-take-down-internet
>>> 
>>> 
>>> Regards,
>>> Paul
>>> 
>>> Paul Howell
>>> Chief Cyberinfrastructure Security Officer
>>> Network Services, Internet2
>>> 100 Phoenix Drive, STE 111
>>> Ann Arbor, MI 48108
>>> Office: 734-352-4212
>>> Email: 
>>> 
>>> 
>>> 
>> 
>> 
>> 
>> 
>