RE: Denial of service

[David C Niemi <niemi () tux org>]

On Thu, 20 Aug 1998, Ted Doty wrote:
> At 03:01 PM 8/19/98 -0400, David C Niemi wrote:
> > Nowadays a lot of companies have mission-critical applications which
> > *depend on* the Internet.  And for good business reasons, like making or
> > saving a lot of money.  Does this mean they expect to have 100% uptime for
> > these applications?  Does this mean you should gratuitously rely on the
> > Internet for critical communications?  Of course not.  But they do want
> > their availability to be high, and disconnecting from the Internet makes no
> > economic sense. 
>
> Probably the only example of a mission critical application that depends on
> the Internet is Internet-based electronic commerce.  Leaving asside the
> tautological aspect of this as an example, I have never heard of an
> sizeable business plan that depended solely on Internet ecommerce getting
> funded by venture capital - the technology is too new for the risks of this
> strategy to be well understood.

You must work for a bank or a secret agency ;^)  Nowadays almost all large
organizations and many smaller ones nowadays have web sites that management
considers mission-critical, even if they only provide general information
to the public.  And a great number of business functions rely on the
Internet for gathering information and e-mail.  E-commerce per se is just
one of many extremely valuable services which inherently must rely on the
Internet.


> ECommerce is great as a new area that augments existing revenue streams.
> However, the fact remains that a sufficiently clever attacker could disrupt
> your system for days, and possibly weeks.  That'd probably would get the
> law enforcement community involved, but heck, people blow up embassies.

Not Very Often.  As someone else pointed out, this business is about risk
management, not risk elimination.  There are many theoretically possible
(and occasionally real) attacks which even state-of-the-art Internet
security techniques can't guard against; but for each one of these that
occurs there are dozens of simplistic attacks which cause damage due to
extreme negligence in making Internet-connected equipment secure and
robust. 

If you mean that Internet connections need to be segregated from critical
internal systems, I see your point; once done properly the DoS attacks you
refer to for taking down Internet connections have no realistic opportunity
to impact purely internal systems.  But that is very different from
completely severing oneself from the Internet.

---  David C Niemi ---niemi at tux.org---  Reston, Virginia, USA  ---
           Da mihi sis crustum Etruscum cum omnibus in eo.