RE: Your counsel on defeating DDOS Attacks

[David LeBlanc <dleblanc@microsoft.com>]

> An idea we've bandied about a bit within MITRE is the notion of a "top
> 20 list" of the most serious and commonly exploited vulnerabilities,

I like this idea.  I don't know how you'd establish what was on it, though.
Top 20 tried?  Top 20 used to hack people with?

> It would just so happen that RPC services would dominate the top spots
> for the foreseeable future ;-) but it could also leave room for NT.

I'm sure there's a spot for everyone at some point or another.  Generally,
when I was at ISS, about the time someone started a 'my OS is more secure
than your OS" debate was when their OS would come up with a ghastly bug the
next day.

> The top 20 list could be used to raise the bar by actually defining
> one.  Conformance to the top 20 list then becomes a requirement.  It
> would establish an absolute minimum that anybody should be sure they
> are protected from.  

I like this.  It would also give the auditing and IDS vendors significant
incentive to make sure that their tools contain checks for the top 20.

> Other lists could contain less "important"
> problems, and would imply additional levels of protection.  

It would also help end-users, since the auditing tool vendors all check for
hundreds of items, and users don't always know what to start fixing.
 
> The list
> could be updated on a periodic basis, with input from across the
> community.  As we begin to get a grip on how to model "policy," there
> could be different lists for different policies.

Very interesting ideas.