PDA

View Full Version : HP touts software to slow computer worms


MacBytes
Dec 1, 2004, 04:23 PM
Category: News and Press Releases
Link: HP touts software to slow computer worms (http://www.macbytes.com/link.php?sid=20041201172314)
Posted on MacBytes.com (http://www.macbytes.com)

Approved by Mudbug

Mudbug
Dec 1, 2004, 04:23 PM
we call it OS X server, but that's a different arguement for a different day.

shamino
Dec 2, 2004, 10:27 AM
Limiting the rate of TCP connection establishment is a great idea, but I think it really needs to be running in routers, not in people's PCs. The people making the worms aren't stupid. They'll soon write a worm that can seek out and destroy HP's "throttler" (much like those that actively seek out and destroy antivirus software today) and we'll be back where we started.

Now, if this would be implemented in those gateway routers that everybody has (or should have) on their broadband connections, it would be a lot harder for worms to defeat the rate limiting.

And you don't need to detect an attack. Impose the limit all the time. Just impost a hard limit of 60 TCP connection creations per minute, on a sliding window basis. Although web surfing does tend to create connections in bursts of several per second when opening pages, over time, the number of connections created is typically very low. 60 per minute is plenty for a single web surfer, and will probably not impact three or four. (And if your home LAN hits this limit, the limit can be a configurable value.)

ISP's could implement the same thing in their customer-facing edge routers. Of course, you wouldn't impose the limit on an entire router, since a router may serve hundreds of customers with thousands of computers. But you can impose the limit on a per-port basis (if each customer gets one port) or on a per-IP-address basis (if customers share ports.)

wrldwzrd89
Dec 2, 2004, 10:40 AM
Limiting the rate of TCP connection establishment is a great idea, but I think it really needs to be running in routers, not in people's PCs. The people making the worms aren't stupid. They'll soon write a worm that can seek out and destroy HP's "throttler" (much like those that actively seek out and destroy antivirus software today) and we'll be back where we started.

Now, if this would be implemented in those gateway routers that everybody has (or should have) on their broadband connections, it would be a lot harder for worms to defeat the rate limiting.

And you don't need to detect an attack. Impose the limit all the time. Just impost a hard limit of 60 TCP connection creations per minute, on a sliding window basis. Although web surfing does tend to create connections in bursts of several per second when opening pages, over time, the number of connections created is typically very low. 60 per minute is plenty for a single web surfer, and will probably not impact three or four. (And if your home LAN hits this limit, the limit can be a configurable value.)

ISP's could implement the same thing in their customer-facing edge routers. Of course, you wouldn't impose the limit on an entire router, since a router may serve hundreds of customers with thousands of computers. But you can impose the limit on a per-port basis (if each customer gets one port) or on a per-IP-address basis (if customers share ports.)
This technology should be put into XORP (http://www.businessweek.com/technology/content/nov2004/tc20041129_5206_tc024.htm) to really make it shine. Only snag is the licensing.

shamino
Dec 3, 2004, 10:21 AM
This technology should be put into XORP (http://www.businessweek.com/technology/content/nov2004/tc20041129_5206_tc024.htm) to really make it shine. Only snag is the licensing.
Rate-limiting of various kinds is available in most real routers (not the toys you buy to connect three PCs to a DSL line but the ones service providers use to connect thousands of customers to a backbone.) Whether they specifically support this kind of rate-limiting (new TCP connections and nothing else) I don't know.

As for Xorp itself, that Businessweek article doesn't know what it's talking about. If anybody seriously thinks that a software package on a PC (or any other general-purpose computer) can replace a hardware router in any situation other than the most trivial, they simply have no idea what they're talking about.

This has nothing to do with the quality of the software. The PCI bus (and the rest of the I/O architecture) has pathetically low bandwidth compared to a router's backplane. Four or five ports of 100M Ethernet can saturate a PC's entire capacity if software is forwarding the packets. If you have expensive line cards that can bypass the CPU and forward packets directly over the PCI bus, you might be able to push a PCI bus to 10 ports. In comparison, the router in the office where I work has around 200 ports, and all of them can simultaneously move traffic at full 100M line-rate.

And I haven't even mentioned the other things that are critical for serious routers - redundant power supplies, redundant processors, redundant fault-tolerant line cards, all components hot-swappable, etc.

The price of a router's system software could drop to zero and it would have virtually no impact on what companies like Cisco and Juniper charge for their equipment.

Xorp is an interesting research project, but it doesn't stand a chance if anyone thinks it will herald in a new era of dirt-cheap high-capacity routers.