Bill Cheswick On Internet Security 37
Franki3 invites our attention to a SecurityFocus interview with Bill Cheswick. He started the Internet Mapping Project in the 90s; you have probably seen the maps that resulted. The interview ranges over firewalling, logging, NIDS and IPS, how to fight DDoS, and the future of BGP and DNS. From the interview: "I have been impressed with the response of the network community. These problems, and others like security weaknesses, security exploits, etc., usually get dealt with in a few days. For example, the SYN packet DOS attacks in 1996 quickly brought together ad hoc teams of experts, and within a week, patches with new mitigations were appearing from the vendors. You can take the Internet down, but probably not for very long."
Mirrored (Score:3, Informative)
Re:Root Servers (Score:4, Informative)
Re:Root Servers (Score:5, Informative)
The problem with this (as the WP article points out) is that it's virtually useless for stateful connections like TCP, so it's not useful for load balancing web servers and other things of that nature. But since DNS uses UDP, it doesn't matter if one packet goes to one server, and then the routers decide to send the next one to a different server with the same IP. This means you don't need the usual NAT system that would be required in order to load-balance a HTTP farm: most of that is really only needed because you need to keep the various connections between clients and servers sorted out. When you're using a stateless protocol, it's a lot simpler.
I was pretty impressed with it, too.