CalvinK Posted June 4, 2016 Posted June 4, 2016 1 hour ago, Safety1st said: Blocking outgoing connections using ACLs is NOT suitable because too complicated. Security through obscurity is the first step to protection definitely. I don't understand why developers argue instead of making it. 1. Just because something is too complicated, it doesn't mean it is not suitable. Configuring your servers to stop DDOSing is not an easy task, but this should be dealt with at the server level. 2. Security through obscurity is discouraged by all the standards bodies. The National Institute of Standards and Technology specifically recommends against this practice. 3. They are the developers of the product. Why create extra code (against the standards bodies' advice) to do something that quite frankly could be dealt with at a server level? The server does this job better than IPS could. As a paying customer I would rather they spent their time more productively on features that are missing since I upgraded to 3.4, instead of something that server admins should be dealing with at server level.
Safety1st Posted June 4, 2016 Posted June 4, 2016 7 minutes ago, CalvinK said: Just because something is too complicated, it doesn't mean it is not suitable. Suitable – right or appropriate for a particular person. I believe for most of customer it isn't. 10 minutes ago, CalvinK said: this should be dealt with at the server level You can't protect server on its level from L4 attacks. Reverse proxy could do that as long as backend IP stays unknown. 13 minutes ago, CalvinK said: Why create extra code They do this all the time It depends on opinion 16 minutes ago, CalvinK said: I would rather they spent their time more productively on features that are missing since I upgraded to 3.4 I do not care about that features. Everyone has his own priorities.
Management Lindy Posted June 4, 2016 Management Posted June 4, 2016 2 hours ago, Safety1st said: Totally agree with @Callum MacGregor! Blocking outgoing connections using ACLs is NOT suitable because too complicated. And even access to IPS network could not be configured using them because of too wide range: 52.0.0.0/8, 54.0.0.0/8 and 50.28.0.0/16 which 'can change at anytime'. Every plugin could have arbitrary resources to access and so on. It is not suitable. Security through obscurity is the first step to protection definitely. The only real solution is using proxy for outgoing connections is too expensive. Especially for small communities or/and which are run as a hobby. And we want from IPS the most simple thing: disable avatar uploading from URL and allow auto-embedding images per whiltelist only. I don't understand why developers argue instead of making it. That's not even a little true. The only thing that can directly access any of the backend instances that power this community is the network appliances and traffic to that is filtered. The IPs of the backend instances would do you absolutely no good and that is a proper setup and the ultimate solution. Whether that fits within your budget, of course, is another matter entirely, but application proxies are not our answer. If your site is particularly vulnerable and prone to attacks, you can of course shut off remote images and this should solve your concern.
CalvinK Posted June 4, 2016 Posted June 4, 2016 1 hour ago, Safety1st said: Suitable – right or appropriate for a particular person. I believe for most of customer it isn't. You can't protect server on its level from L4 attacks. Reverse proxy could do that as long as backend IP stays unknown. They do this all the time It depends on opinion I do not care about that features. Everyone has his own priorities. 1. It's ultimately a similar thing to being able to backup a database through IPS software. It might be convenient or "easier" for a customer, but it is not suitable or "right". Neither is this. 2. You can't protect a server through the mantra of "security through obscurity" and hoping that someone doesn't get hold of your server IP. 3. You part-quoted me. Here is the full quote: Why create extra code (against the standards bodies' advice) to do something that quite frankly could be dealt with at a server level? You're essentially asking for IPS to encourage ignoring the advice of standard bodies. Opinion doesn't come into it - security through obscurity is widely discouraged as a form of protection. 4. Good for you. But ultimately you could resolve your priorities yourself without IPS wasting their time creating something because people can't be bothered to configure servers correctly. Time that could be better spent doing other things.
Kevin Carwile Posted June 4, 2016 Posted June 4, 2016 29 minutes ago, CalvinK said: Opinion doesn't come into it - security through obscurity is widely discouraged as a form of protection. This sentiment keeps being regurgitated in this thread and is absurd. There is nothing wrong with obscurity. Quit saying this. Why do you think safes arent see through? Why do you think people hide them in walls and floorboards. What security minded people might say is that using obscurity as your ONLY form of protection is not a sound strategy. Like hiding valuables in a sock drawer. But taking that to mean that implementing a level of obscurity into a protection plan is somehow discouraged or not a good idea... well then there is an obvious fundamental misunderstanding of what security is.
Colonel_mortis Posted June 4, 2016 Posted June 4, 2016 My site is one that is particularly targeted by DDoS attacks, because it is a tech website, so if someone gets annoyed, or is just bored, they are much more likely to have the technical knowledge required to launch an attack (not that much knowledge is required to pay for access to a botnet). Having cloudflare helps a lot, and while we do have other mitigation techniques in place, cloudflare is 100% effective at L3/4 attacks, and it's L7 mitigation mode, while intrusive, is effective. Prior to activating the L7 mitigation, the attacks that we have had recently have caused all sorts of things to fail, and the attacks have been distributed enough that separating legitimate traffic from the attack would not be easy to do without the interstitial that cloudflare uses, so local mitigation would not be effective. I know this isn't an issue that affects the majority of customers, but leaking the back end ip is an issue, and I have had to route all outbound traffic via a proxy to prevent the large number of ways that an attacker could gain our ip address. Security through obscurity is not the best solution, but that doesn't mean that you should make the information public, just that you should try to avoid it being an issue if it is disclosed.
Safety1st Posted June 4, 2016 Posted June 4, 2016 6 hours ago, Lindy said: If your site is particularly vulnerable and prone to attacks, you can of course shut off remote images and this should solve your concern. I prefer to use dedicated services for images and serve locally more valuable content. 6 hours ago, CalvinK said: It's ultimately a similar thing to being able to backup a database through IPS software. It might be convenient or "easier" for a customer, but it is not suitable or "right". Neither is this. 6 hours ago, Lindy said: That's not even a little true. I started my community 1/14/2016 in IPS Cloud. 31/1/2016 after the first DDoS attack site was suspended due to their 'zero tolerance policy': Now tell me why commercial service absolutely not protected against attacks? Why I have to buy full license and to run self-hosted community instead of using SaaS that was perfect for me? And the same people stay telling me that site should be secured properly... I had too much problems and had to change hosting company 3 times until I disabled avatar uploading from URL and embedding. Hiding backend IP is not a solution, it is a basic workaround and it works perfectly.
CalvinK Posted June 4, 2016 Posted June 4, 2016 7 hours ago, Kevin Carwile said: What security minded people might say is that using obscurity as your ONLY form of protection is not a sound strategy. If you have a level of protection that prevents DDOS attacks then why do you think IPS needs to implement obscurity? It's a complete waste of their time. The fact is that some people want IPS to implement it so they don't have to properly configure their server or pay out for DDOS protection. It is not IPS's job to secure a third party server.
RevengeFNF Posted June 4, 2016 Posted June 4, 2016 7 hours ago, CalvinK said: If you have a level of protection that prevents DDOS attacks then why do you think IPS needs to implement obscurity? It's a complete waste of their time. The fact is that some people want IPS to implement it so they don't have to properly configure their server or pay out for DDOS protection. It is not IPS's job to secure a third party server. DDOS protection comes at a cost, its not only configuration... If your server have 1Gbit ethernet port and i lauch an attack of 5Gbit, your ethernet prot will be saturated, no matter what configurations you have. I have tested this many times, believe me Not everyone have the money to invest in Anti DDOS, so obscurity can be a valid solution. I also obscure my IPS Password from other people
CalvinK Posted June 5, 2016 Posted June 5, 2016 15 hours ago, RevengeFNF said: DDOS protection comes at a cost, its not only configuration... If your server have 1Gbit ethernet port and i lauch an attack of 5Gbit, your ethernet prot will be saturated, no matter what configurations you have. I have tested this many times, believe me Not everyone have the money to invest in Anti DDOS, so obscurity can be a valid solution. I also obscure my IPS Password from other people The point is that obscurity is not a valid solution, and security experts even say that relying on obscurity is not to be encouraged. Obscuring a server IP will not stop a determined person who wants to DDOS a server. Only anti DDOS will. People shouldn't be relying upon obscurity to secure a server IP against a DDOS. As for passwords, that's a completely different thing.
RevengeFNF Posted June 5, 2016 Posted June 5, 2016 9 minutes ago, CalvinK said: The point is that obscurity is not a valid solution, and security experts even say that relying on obscurity is not to be encouraged. Obscuring a server IP will not stop a determined person who wants to DDOS a server. Only anti DDOS will. People shouldn't be relying upon obscurity to secure a server IP against a DDOS. As for passwords, that's a completely different thing. Why IPS encourage clients to obscure their ACP folder? For security reasons, if no one knows the name of the folder, they can't try to exploit it. Same thing with IP, if no one knows your server IP, its impossible for them to launch a layer 3/4 attack to it. Period. I have not said people should only use that line of defense, they should use others, but that one is a very valid one.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.