[Z1nfandel]

But what you're arguing isn't reality. Show me a source article where someone has compromised a backbone router, and then used it for DDoS. This is almost exactly what I was addressing when I said "Unless you use the power of the NSA to target a single pipe." Even in a hypothetical scenario where you have gotten your hands on one: How long do you think companies are going to let their half million dollar router be consumed for a DDoS before they take notice?

I think its pretty obvious you don't understand how internet traffic really flows, when you think "all I have to do is compromise 600 pc's with a Gb connection and I can launch a 600Gbps DDoS."

[lightedman]

"I think its pretty obvious you don't understand how internet traffic really flows, when you think "all I have to do is compromise 600 pc's with a Gb connection and I can launch a 600Gbps DDoS."

I've been doing networking for 26 years. One of my largest jobs was mitigating Slashdot effect for two high-profile sites. I know very well how a DISTRIBUTED denial of service attack works, can work, and have done many of my own in checking security measures for those whom I consult. Compromising backbone routers is actually fairly simple. Too much reliance upon software stacks and not enough reliance upon sound hardware logic design that's proofed against attack in the first place.

[lsc]

>Compromising backbone routers is actually fairly simple.

Yes, the state of security on routers, even some rather large routers is embarrassing, but when routers have business-critical amounts of bandwidth? they are attached to pagers.

Regardless of what you think of us, the folks attached to the pager, when you start messing with big important routers, at least if you mess with them to the point where it interferes with the business needs of the people who are paying money for said routers? you are going to wake us up. You are going to have a really hard time using these routers for much more than an hour before there is someone on-site trying to fix it.

Sure, the state of security for monitoring is also abysmal. if you wanted to put in per-router effort, I'm sure you could take my pager offline when you take my router offline. but customers will notice, customers will complain, and at almost every place where I've been on pager, there have been alternate routes to get to me. Hell, I once woke up to a very excited office manager shouting and pounding on my door because the whole office was down, I was sleeping in, and my pager wasn't charged. It freaked the hell out of my roommates; the office manager had a thick accent, and was built like someone out of a HK action film. They thought for sure I was gonna get messed up because I owed someone money.

But yeah, I mean, sure, with sufficient subtlety, you could use a small amount of the available bandwidth on a poorly-monitored backbone router. And a lot of them are poorly monitored. But my point is just that once you start using them hard enough that it interferes with the business needs of the people paying for them? Regardless of how terrible the monitoring system is, people will notice. Security isn't the only thing that is embarrassing on those routers; businesses are used to this shit failing, and even if most people don't know what to do beyond turning it off and back on, when there are dollars involved, there are procedures for getting someone who does know how to fix it on-site.