I won't reveal the person's name, but recently I chuckled when reading a Facebook status update from someone I knew in high school. His comment was along the lines of, "My boss asked me to label our switches with their IPs, so I asked if we should post the configs along with the usernames and passwords on the internet. My boss has a wonderful concept of 'security'".

This person is a graduate of a post-secondary computer program. Probably not unlike the program that I graduated and now teach in. I want to know who, during his education, said "labels are insecure" and drove this idea into his head to the point that he would call out his boss on Facebook over it. I want to know who this professor is because I want to see them stripped of their right to teach.

However, if we ignore that someone is passing along incorrect information, this seems to be part of a larger issue. I noticed numerous comments on Facebook laughing at the status update, perhaps by people that know nothing about computers but, even worse, they might be people that work in IT. I have to ask myself as a security professional and as a security professor if all of my efforts are wasted. Do we really have people working for companies that feel proper security means not labelling equipment?

I then realized that this likely part of a larger problem. We have people everywhere doing jobs that they aren't trained for and aren't prepared for. As we focus more and more on security, we are forcing developers, network admins and sys admins to focus on security, but we're never telling them what matters and what is involved in security. It's not unlike when I took my first job after I graduated and cried my first day. The prevoius sys admin had enabled WEP on their wifi ("for security") but had also put their Win 2K box acting as a DC and running Exchange 2K directly onto the internet. Not even a linksys router in the way, just straight into the DSL modem.

So are we wasting our efforts? Is there any point in looking at security when there are so many SMBs that have a single IT person or an outside consultant who has no idea what to do. A lot of people dislike standards like PCI but maybe this first step, a simple checklist, is exactly what we need. Maybe instead of user awareness training, we need to start talking about IT grunt training because how do we have the users trained if their likely trainers don't know what's going on.

If I were told it was a security risk to write IPs on switches, I'd really have to ask why someone is able to get access to the switches in the first place. That would be the real security risk... who cares about the IP if someone has physical access.

Over years the years, how many countless inventions have improved mankind, yet have introduced a negative side effect? The gun provides a means to hunt and defend more efficiently, yet it also provides a means to kill with ease. The plane decreased travel times, then someone thought to attach a bomb and fly over a target. Water is a basic necessity to life and even it has been used for evil.

Now according to Kurt Wismer the inventors of these (we'll leave water out of this since I don't want to start a religious debate)  should feel responsible when they are used for evil. That means that the Wright Brothers should have felt shame every time a bomb was dropped from a plane. I can't help but feel that's more than a little preposterous.

This all stems from a post by Kaspersky researcher, Roel Schouwenberg, discussing the lack of ethics in certain researchers. It seems that Roel finds it irresponsible for PolyPack to be considered valid research, especially research coming from academia. Dave Maynor responded to the post with his own write-up and that prompted Kurt's response.

So what is PolyPack? It's a research project out of the University of Michigan which has created a frontend that allows you to submit binaries for testing. These binaries are packed with 10 different packers and tested against 10 AV Engines. I happen to think that this is a great project that serves to highlights the many shortcomings of signature based AV detection. I'm also not the only one that feels this way as the paper was selected to be presented at WOOT '09.

So what's the unethical part of this research project? If it's about the use of packers to bypass AV, then I have something to share with Kurt and Roel. That's not a secret! It's fairly well known... it was mentioned in PaulDotCom podcast #125 and I'm also pretty sure I've heard HD Moore mention it during a metasploit training session. So what's left? They haven't released some super secret l33t h4X0r script that will cause every computer in the world to simultaneously self destruct nor have they reprogrammed our TiVos to record nothing but soap operas. There's only one possible answer left, and it's the conclusion that Maynor reached... they're making signature based AV look bad.

So in the end, I pose the title of this post as a question to everyone. What is ethical? Is it ethical to release research that may be used for evil? Or is it more unethical to sit on that research and keep it private, waiting for the bad guys to stumble upon it for themselves? Although in this case, the bad guys are probably well aware of packers and this becomes somewhat of a moot point, in the end if they were really desperate they could even pack their binaries themselves and upload them to VirusTotal to see ho well they do.

So again I'll attempt to close out this article. What is ethical? Personally I think sharing your research and working towards the betterment of technology is ethical and that sitting back and waiting for the bad guys  to beat you to the punch is highly unethical.

Here are the screenshots. It was a small set of IPs, but the top three countries were China, USA, Poland.

• Software Engineer
• Software Developer
• Security Engineer
• Support Specialist
• Research Engineer
• Network Admin
• System Admin

The list goes on and on. Historically, I've divided those within IT into one of four groups:

• Developer
• Information Security (IS) Professional
• Information Technology (IT) Professional
• Web Developer

These days Web Developer could probably be folded into Developer since there's so much beyond simple HTML used to build web sites. That leaves us with Developer, IS Pro, and IT Pro. I tend to think that that is a fairly reasonable distinction, at a high level with one caveat. IS isn't really on the same level as the other two. Most people that you talk to have experience in either IT or Development when they move into IS. IS is a skillset that's built onto one of those two. Let's look at this another way...

Imagine this is a RPG and your Level 1 IT Worker. You can choose the abilities you upgrade and they include "Programming", "Router Config", "OSI Model", etc. The level ups for these may include "C++", "Java", "Routing Protocols", "Routed Protocols". This means you could follow the path of IT Pro, Developer or "Jack of all Trades". It isn't until you reach one of these levels that you unlock the next round of abilities (the IS skills) which may include "Packet Analysis" (requires Routing and Routed Protocols) and Binary Analysis (requires "Programming" + 1 Level UP). Only at that point do you move to "IS Pro".

You're probably saying to yourself, "WTF is he talking about?" After all, I'm reading this and thinking that. What I'm talking about is this blog post, 'what do you need to know to work in infosec'. To put it plainly, the list is wrong. Well the list isn't wrong, the list is correct, but the title is wrong. With the exception of one or two items, this list reads more like a "what do you need to know to be a sysadmin" or "what do you need to know to work at a helpdesk"

Now as I said, IT is a stepping stone to IS, so yes, at one point or another you probably learned many of these if you now work in IS, but these aren't the things you need to know to work in IS, these are the things you need to know to work in IT.

So let's take a look at the 'What you need to know...  ' list and figure out where the line items fit. If we take the ones you really need to know to work in IS we've got maybe 5-7 items (1, 11, 14, 15, 17, 18 and 19) - I'll let you decide if it's some or all.  Let's think about some of the others. Numbers 2 -5 are all networking related, I know people in IS who've never touched them... now as a network admin or member of the network group (which would fall under IT) these would be important skills. With numbers 6 - 9, we're looking at a sys admin, or help desk employee (again positions I'd consider to be IT related). Now 10, 12, 13, and 16. These could be argued a few ways but I'm going to call them help desk or support type things and bundle that up into the IT category.

So what's my point? To state that I disagree with a definition of infosec that "needs" all those abilities. Then again, people may even disagree with the 5-7 I felt could be kept. In the end that list is a great list if you want to go get the title of Network Admin or Sys Admin, or even in some cases Security Admin but even at that, working in a enterprise security group where you may deal with all those tasks (it seems doubtful that you'd rely on the security team to install software though) that's one very small aspect of infosec.

Example: AddType application/x-httpd-php .php

In the above example, both phpinfo.php and phpinfo.php.bak would be parsed as PHP.  I found this to be rather interesting and started testing with a few servers I have handy.

It appears as though this isn't the case 100% of the time.

I tested 3 servers running Apache 1.3.34, 2.2.4 and 2.2.8. It was true on the server running Apache 1.3.34, however it wasn't true on the two Apache 2.2 systems.

I contacted the handlers at ISC to follow-up with them, however I haven't heard anything confirming one way or another. Has anyone else tested this on their servers?

• Does Web 2.0 Make Availability More Important?
• Are Denial of Service and Availability Interchangeable?
• A Browser Crash is...?
• A Firewall Denial of Service is...?
• A Web Server Crash is...?

These are the questions that drew the responses that I was really interested in... so let's jump right in.

Question 5 - Does Web 2.0 Make Availability More Important?

With this one here, I was rather impressed by the splits, overall we had 89 'Yes' responses to78 'No's. Our biggest group (IT Professional) saw 34 to 20 in favour of 'Yes', while the second biggest group (Security researcher) was an even split of 26 to 26. Perhaps the most surprising was IS Professional with 16 to 10 in favour of 'No'. Going into this survey if I had to pick one question that I thought would be clear cut, it would have been this one. I thought that everyone would say yes, that obviously isn't the case. So what did people have to say about this question?

If anything Web 2.0 has shown how little people care about availability. - Security Researcher/No

Web 2.0 (Web 'Uh-oh') actually opens up an entirely different set of security issues... - Security Researcher/No

There are just more people pissed off about it. - Developer/No

Availability is an issue for COBOL apps written in the 1960s.  Mission critical is mission critical.  Platform is irrelevant. - IS Professional/No

It really shouldn't it should have been just as important 10 years ago. I think the big difference is rather than 10,000 web users on a site 10 years ago, today there may be 1,0,000! Web 2.0, to me, signifies a big uptake in people casually using those tools. This makes A seem important as it really affects revenues and perceptions.  But should it have been less important? I guess that's a paradigm difference amongst people, but I think it should always have been important. - IT Professional/No

The purpose, not the technology dictate when availability is more important. - Management/No

As you can see, I've only selected comments where the commentor selected 'No' as their answer. So it seems to be that it's not, 'more important' but should be considered 'as important', at least to some people. That's complete valid... just not how I looked at it. I had assumed more people... more importance. The developers comment is interesting, "There are just more people pissed off about it". That follows the logic that I had used in my assumptions, yet they answered no. I guess that means the question comes down to "more important to who"? The business, the user or both? I'd say both. If I can access the service, I'll be happy. If I'm happy I'll most likely be retained as a customer. If I stick around, I'll probably buy more and the business will be happy.

The remaining comments either passed off 'Web 2.0' as a horrid buzz word or revolved around the concept I just mentioned, more people and more business make Web 2.0 more important.

Question 6 - Are Denial of Service and Availability Interchangeable

A lot of people said No to this one and then proceeded to inform me that Denial of Service affects Availability, I guess they didn't see that drop down question. If I were to cast my vote, you'd find me in the 'DoS affects Avail.' red grouping, but a lot of people who said 'No' (and there were 103 of them) seemed to think I was leaning towards yes simply by asking the question. The numbers across the board for this one were: No - 103, Yes - 37, DoS affects Avail. - 68, and Sometimes - 51. Some people did offer up interesting reasoning for their opinions.

Used loosely, sure.  If I am under a DDoS attack, I probably don't have great availability.  If all my boxes fall over at the same time due to a power outage, I've also effectively eliminated my ability to provide service. - Security Researcher/See Notes Below

Denial of service does not have to affect availability. For instance causing a redirect loop in a website does in fact rely on the webserver being available. - IT Professional/No

That's tough. I think Availability encompasses all DoS, but Availability is more than just DoS conditions and attacks.  If a netadmin borks a router config and denies a segment of the network service from another segment, that is not a security concern but rather a stability issue. However, it still is about Availability as it pertains to the IT infrastructure teams.  (Of course, what if it was a purposeful misconfig...?) - IT Professional/Sometimes

In the end, availability is the key component.  DOS is a type or characteristic of a method use to affect availability.  Businesses only care about overall availability. - IS Professional/Yes

When there is no avail. it doesn't mean that it's DoS, but when there's DoS it means that there's no Avail. - IT Professional/See Notes Below

For these next questions, I'm going to cover all three graphs first.

Question 7 - A Browser Crash is a...?

This one went:

• Stability Issue - 99
• Security Issue - 15
• Both - 138
• Neither - 14

Question 8 - A Firewall Denial of Service is a...?

And the numbers are:

• Stability Issue - 12
• Security Issue - 99
• Both - 139
• Neither - 14

Question 9 - A Web Server Crash is a...?

May I have the envelope please:

• Stability Issue - 51
• Security Issue - 34
• Both - 177
• Neither - 5

Quotes related to these last three:

For the last three questions, a browser or web server crash is only a security issue in certain scenarios.  Each of the scenarios must be checked.  They could be one or several of the following conditions that lead to one or multiple specific security issue(s): 1) Path traversal/exploration (sometimes DoS, sometimes Information Leakage, sometimes both, sometimes more) 2) Memory Access Violation (Write) - definitely/always a security issue that can cause a DoS and/or remote execution and/or more 3) Memory Access Violation (Read) - varies by type 4) NULL pointer dereference - varies by type 5) Divide by zero (often DoS-only, but not always)  A browser/server crash in a lab or trusted environment (especially done on purpose or under the auspices of SQA) is not a security issue.  A browser/server crash in a production environment is often both a stability and security issue.  Firewalls, clients, servers, etc - are basically treated similarly except they do have different kinds of bugs and vulnerabilities - Security Researcher/Neither/Neither/Neither

Web Server Crash = If not from DOS Attack - IS Professional/Stability Issue

Browser crashes are not a security issue unless they can be leveraged for exploitation. Chances are if you can continuously DoS a browser, you have MITM or some other over the system already - Security Researcher/Stability Issue

Where you say "stability" I would say "reliability".  The misbehaviour of a piece of software may indicate there are other lurking defects that may compromise Confidentiality or Integrity, in addition to the obvious Availability defect.  There would be fewer browser crashes discovered if web page authors checked their web pages with the tool at http://validator.w3.org.  The remaining browser crashes would be from malevolent web authors and users would not view a browser crash as benign or expected - Developer/Both/Both/Both

Application level DoS is underestimated. I like this survey as it addresses this problem. A distinction between DoS target layers would have been nice though - IT Professional/Security Issue/Security Issue/Security Issue

I wanted to group these last three because I found them rather interesting. One of the more interesting numbers is the mirroring done by stability and security between  a browser crash and a firewall DoS. I was rather surprised by this for a couple of reasons. The first being the number of people who said that Web 2.0 makes availability more important and the number of people that said Denial of Service is a security issue... then a web browser crashing suddenly becomes a stability issue. I wonder how those people would respond if I told them that it was the same specially crafted HTTP response that caused both. My goal  here was to mix up the use of crash and denial of service and see if changing the word played into people's opinions. Even though the numbers were closer on the web server crash, I think it's still safe to say that the use of the word crash vs denial of service does affect people's opinions of whether or not it is a security issue. Any thoughts on that?

While 'Both' reigned supreme across the board for these three questions, I didn't expect that on both the browser and the firewall it would pick up only 50% of the vote.  In the end, I'd wanted to attempt to reach an agreed upon point as to when something is a Denial of Service... to remove ths subjectiveness and make it a little more objective. I don't know that it's possible to do that after seeing these responses, but I'll try to come up with a majority concensus based on these responses and put that forward as an objective opinion of what a Denial of Service is in a future post.

For now, I"ll leave you with some of the final comments from the survey:

Denial of service is less of a risk to major players as internet crime is moving more towards profit driven models.  You'll only see it when a bot master gets pissed off, for instance, against snti-spam orgs or governments, like this russia/georgia bullshit. - Security Researcher

PCI:DSS has done much to bring security into the general populace, but it has also accelerated the thinking that DoS/Availability is not a security issue.  People need to understand the scope of PCI:DSS - to protect card holder data.  I believe that the PCI:DSS will bring DoS/Availability back into the standard once they have achieved their goal of global adoption.  As they evolve their security thinking, they will understand where DoS does put card holder data at risk (as you've alluded to above with DoS on firewalls and other security tools) - Management

Frankly, one of the largest areas of conflict between security personnel and normal IT personnel is with scope creep related to Availability.  A huge percentage of what an entire infrastructure department does is about availability - data center, box clustering/load balancing, config management, etc.  It often seems to them (and I'm not sure this isn't the case) that security pros/companies pushing into availability isn't just a way to expand their scope/power/money.   Now, there are some parts of availability that are best kept with security because of synergy - bad inputs that crash your app versus bad inputs that show SQL data are the same technically, so splitting them isn't that useful.  But the security professional's model of availability needs to be restricted to "stopping naughtiness."  Firewall-blocking a SYN flood,  cleansing application inputs, and preventing theft are good.  Getting in my business about how much AC I have in my data center, my load balancing scheme, my configuration management system, or my uptime SLA is not.  A browser crash certainly is not.  In IT, lots of things have implications on other aspects of systems.  So sure, there may be security implications in our config management system, for instance.  But all too often security tries to consider these other areas, which are all huge disciplines unto themselves and have a lot more appropriate and specifically trained people to handle them, "under security."  - Management

DoS and Availability do in certain circles go hand in hand and are very important to security professionals.  We can provide CIA however without providing the availability or the protection against DoS, we are not providing the full product.  Availability to me, a security professional, is key. - IT Professional

I'm surprised by this topic, but I think it's a great one. I wouldn't be surprised to see every sort of answer possible, given by respected security experts.  As far as the crashes above, they may indicate security issues, but I would certainly start those incidents with the stability/infrastructure teams first. - IT Professional

Denial of Service, should not be viewed as only an attack vector. Management can Deny you the service as a planned DoS due to authorization level. Equipment failure or incorrect settings or programming can cause DoS, unplanned Dos. You can provide the service and not have enough bandwidth or power to service a large group of requests and cause DoS. - IT Professional

I know, there were lots of quotes but I think a lot of other people summed it up way better than I could have.

The survey posed 9 questions and allowed for plenty of space to provide comments, so I was really excited to see the answers that I would get.  Some people felt my questions biased the responses (I believe it's impossible to do anything without introducing personal bias on some level) and others questioned what I was trying to get at.  I think I'll start by summing that up as simply as I can.  If someone causes me to lose access to something, I believe they've denied me service and it is therefore a denial of service. I've seen all sorts of responses that it depends on if the denial was malicious or accidental, that it only applies to servers and so forth. I think it's much simpler than that... if I visit a website and it crashes my browser... Denial of Service. If I run a web server and someone crashes it... Denial of Service. So I wanted to know who shared my opinion and how people felt about Denial of Service.

For this post I'm going to provide graphs of the responses, mapping response to profession and some minor feedback.

Question 1 - Is Denial of Service a Vulnerability

I found it very interesting that the answer was almost universally 'Yes' followed by 'Sometimes', the exception being Developers who never acknowledged the sometimes situation. As you can see I left in those people that chose not to respond as well as the people who selected 'See Note Below', this is the case for all of these graphs and I should make it clear that many people who didn't select 'See Note Below' also left comments. I'm going to leave the comments anonymous as I post them, but if you had a comment that I share and you want your name attached to it, feel free to let me know.

If it is caused by a hardware/software flaw, then yes.  If it is simply a flooding of resources, then no. - IT Professional/Sometimes

Denial of Service is an attack which exploits different types of vulnerabilities in systems. - Security Researcher/No

Can't be.  DoS is an external threat, executed by an external threat agent (one hopes).  DoS can exploit a vulnerability, but is not itself the vulnerability. - IS Professional/No

A denial of service is a vulnerability if it affects other users of the service/system.  E.g. If I can crash httpd (affecting many users) then it is a security issue.  If I can crash Word, affecting only myself, then it is a stability issue. - Security Researcher/See Note Below

DoS is a vulnerability when you can DoS a system because of a bug in the system (buffer overflow, lack of input validation, etc.). It is not a vulnerability when you can DoS a system because it lacks some resources to handle the load. - Other/See Note Below

If I can send something to a webserver and make it crash it's a vulnerability. If I hose the webserver with 'normal' requests and thereby making it unavailable to regular visitors,"  that's not a vulnerability of the webserver. - Security Researcher/Sometimes

i.e. If there is a system call that derefences a NULL pointer and crashes the system that is definitely a vulnerability. However if all their bandwidth is taking up with ICMP echo packets that is more of a problem with the infrastructure itself. - Security Researcher / Sometimes

I believe DoS to be a vulnerability if you take into consideration the CIA triad.  It goes against the availability issue of security and this can create a vulnerability. - Security Researcher/Yes

Everything that affects the availability of a system can be considered as a vulnerability according to the CIA triad. - IS Professional/Yes

Technically, DoS is the result of an attack against one or more vulnerabilities.  The impact of a DoS affects availability, which is one part of the CIA triad.  The CIA triad is the core of the most widely accepted model of information security. - Security Researcher/See Note Below

If a DoS can be triggered remotely, pre-auth and with a single packet or otherwise low ratio of attack traffic then yes. - Security Researcher/See Note Below

This question had so many responses that it was hard to simply choose a few... which make end up making this post extremely long. Anyways, as you can see opinions are completely varied... from every DoS is a vuln to only if it affects a network service depending on who you ask.  I included three quotes that mentioned CIA, CIA comes up time and time again in the responses (as I would have expected) , so I was really intrigued at later questions when I mentioned CIA and people asked what I was referring to in their comments.

Question 2 - Is Denial of Service a Security Issue

The answer was pretty much what I expected with this one, that the majority (71% - Yes + 18% - Sometimes + Several Notes) saying that DoS is at least sometimes a security issue.  Only 2.5% of responses said that Denial of Service wasn't a security issue.

No.. because it doesn't involves stealing any data.. It is more of Service Issue ( where in the various services, mail , www, ) are clogged with invariable requests - IT Professional/See Note Below

For this question, I'm centering out that single response, beyond this there were plenty of comments regarding CIA and a number of "of course it does" comments, but the response above is interesting. The belief above is seems to be that it is only a security issue when data is being stolen and that's something that I definitely don't agree with. Out of curiosity, does anyone reading this agree with that comment, and if so, why? I'd love to hear the response.

Question 3 - Should InfoSec Ignore Denial of Service

To be honest, I expected quite a few more Yes answers here. I think the answer is no... something inside me just said, "People will say Yes".  There were only 4 'Yes' responses

Yes, when the researcher can't show a real-world security impact of the DoS. - Security Researcher/See Note Below

Are you kidding?  The word denial denotes malicious effort.  Availability is critical to business continuity. - IT Professional/No

The domain of InfoSec is to guard and defend against an attack on IT resources. Whether the upshot of an attack is a DOS", an unwarranted escalation of privilege, or the compromise of restricted information the fact of the matter stands. These conditions arose as the result of an Attack. It is the charge of InfoSec professionals to address these matters. - IT Professional/No

I think it would be folly to ignore DoS. It is like saying we should worry that the sun won't come up tomorrow. I see a DoS condition as something that is always possible, but often made less of a risk through measures like large enough servers or configs that deal with open sessions, etc. It is often brought up, but also often dismissed in pen-test reports or architecture planning. It's important if 2 people can exploit it less important if it takes an exotic attack or something so large, like a wall cracking under an elephant stampede. You're screwed anyway. - IT Professional/No

Apparently they are, until this day we're still tinkering with easy issues like XSS. Jeremiah Grossman was so excited about this this, he wrote a book! If you ask around any security consultant, they will tell you that DDoSing is "lame". I think they have that viewpoint simply because it is an issue we have yet to resolve, and cannot provide an effective solution because there is very little focus and contribution to that area. I think we have forgotten where hackers really decended from. Before compiling and launching exploits, there was DDoSing, something that would disrupt service and could work successfully  the majority of the time. We forget that vulnerabilities and exploits like XSS can be easily prevented and administered by a simple update, but a DDoS attack takes a website offline, disabling the use of connecting to even the fix the issue. Ask Robert Hansen (RSnake) what he thinks about DDoSing. A friend of mine took his website offline within a few minutes and I went about reporting this to Mr. Hansen and he replied back calling me a script kiddie. As you can see, DDoSing is something that cannot be stopped even by seasoned professionals. - Security Researcher/No

The first one makes me ask the questions, "How do you define real-world impact?" and "Real-world Impact to who?". To many a browser crash is not a security issue (coming up) so is that a case where there isn't a real world impact? What if it affects small business owners who's browsers have had their homepage reset to a page with code that causes a crash? Is that a real world impact? Is it significant enough for people to look at? The next three were just interesting comments and the last one was included to demonstrate that some people answered this with only DDoS on their minds (see my first post in the series).

Question 4 - Should Availability Be Removed from CIA

I'd say 'you probably looked at the question and expected that giant chunk of green' but maybe you're one of the people who answered with something different. While it's obvious that 'Availability is Important' was the winner (193), I want to give a bit more of a breakdown around the remaining values:

• Availability Doesn't Matter - 5
• Only Client Availability Matters - 5
• Only Server Availability Matters - 12
• Who Cares? - 26
• Blank - 15
• See Notes Below - 23

The IT Professionals that said 'Availability Doesn't Matter'  (2 people)... I'm glad I don't worth at their organizations. I actually thought that 'Only Server Availability Matters' might be higher than it is (more on this with Question 5).

Somewhat important, less so than C and I, typically not the sole preserve of the infosec function therefore responsibility less clear - Management/See Notes Below

A is IMO the most important these days, and the more we become interdependent on IT, the more importance A will have/get. - IS Professional/See Notes Below

Yes, I believe so.  It should be addressed separately. - Security Researcher/See Notes Below

Availability is important to a degree.  I do not believe that CIA means Conf. Integ. and Avail. are THE MOST IMPORTANT things...they are the three areas that security is most concerned with UNDERSTANDING and MANAGING.  It is important to understand if availability isn't as important as confidentiality for your [company|agency|group]  they are subjective areas of value, differing for every organization. - IT Professional/Avail. is Important

A gets IS in touch with operations and allows "us" to create a true partnership - IS Professional/Avail. is Important

Absolutely not.  There is already a *HUGE* disconnect between Security and other IT disciplines because the Security community does not treat DoS with as much importance as others.  - Management/Avail. is Important

Availability is just as important as the other two, although there are arguments regarding who is responsible for it. - IT Professional/Avail. is Important

Availability is one of the most important issues for business - so it's part of quality as well as whole security is. - Management/Avail is Important

These were some of the more interesting comments. I thought the contrast in these was rather impressive. We've got an individual in management telling us that availability is somewhat less important than confidentiality and integrity, while an IS professional is telling us the exact opposite. I realize it's only two responses but does this speak to a larger disconnect that might exist today? Then we see another interesting contrast, with a security researcher telling us that availability should be addressed separately and someone in management saying there's already enough of a disconnect between Security and the remaining IT disciplines. Have we stumbled across a major issue in information security today? How do we address this? Who's right and who's wrong... or is everyone right?

Well that's only the first 4 questions, however this post is already extremely long (and I've been writing for quite a while). I think I'm going to break it into a two-part post and do the second half tomorrow. This is a great spot for the split as it is the end of what I considered the "setup points" and tomorrow I can get into the questions that I really want to discuss deeper.

One of the most interesting things that I came across during my initial investigation was that there's no clear definition of Denial of Service. A simple define: denial of service search on Google yields numerous results:

Attacks on wired networks require a far greater deal of computing power, often even requiring the need of distributed computing. Attacks on wired networks of course do not require any NICs or external antennae, yet often does have the need of a (broadband) connection to the Internet. (Wikipedia)

I rather enjoy this one because it has two interesting remarks. The first is that you require a great deal of computing power to perform a denial of service attack. The second is that when attacking a wired network you do not require a NIC.

A type of attack that tries to block a network service by overloading the server. (Ingate - A firewall vendor)

Blocking a network service is definitely one form of a DoS, however a single computer usually doesn't accomplish the task very well and this will usually be a DDoS.

denial of service: An attack that consumes the resources on your computer for things it was not intended to be doing, thus preventing normal use of your network resources for legitimate purposes. (The Linux Security How-To)

This time instead of "overloading the server" we see "consumes the resources". One again, we seem to be confusing DoS as a whole with a single type of DoS or a DDoS. This confusion seems to occur everywhere. When I was initially distributing the survey link, I had numerous people question why I was even bothering. They claimed that DoS was irrelevant because it was simply a packet flood, that you were "overloading the server" and "consuming the resources". This is not the case at all and, as I've mentioned repeatedly, they were looking at a single piece of the Denial of Service Pie.

So what is a Denial of Serivce? Excellent question. There are actually a few sites that define it more appropriately.

Denial of Service: Result of any action or series of actions that prevents any part of an information system from functioning. (KeyBank)

Denial of Service: Unwanted or malicious messages that render network resources non-functional. Some examples are Ping of Death, SYN flood, IP spoofing and Smurf attacks (SEQUI)

This is a much more accurate definition of Denial of Service and I'm glad to see that there are proper definitions floating around.

If I were to define Denial of Service, I would say, very simply, "The absence of Availability." I don't think the definition itself needs to go much beyond that. It is very broad, but broad can be good. Some people may argue that it's too encompassing but that definitely isn't the case. Think about the recent Slashdot downtime, while the problem was internal, it was a Denial of Service in the broadest sense of the term. Whether it's a power outage, a tornado, a tank driving through your data center, a packet flood or a malformed packet bringing down a listening server... it's all Denial of Service.

Now DDoS is another beast. Distributed Denial of Service tends to be defined more reasonably most of the time and people are generally clear on what it is. Essentially, it's what everyone I quoted above was describing, a wide-scale, multiple-source attack that consumes resources and renders the device or service inaccessible. Metasploit, and many others, have experienced this recently.

So why is all of this important? It helps you to understand the logic and reasoning behind some of the questions on the survey. Many people left comments stating that the questions were unclear, primarily because they were thinking of Denial of Service in terms of a packet flood. Before I release details on the survey, I want to be sure people have a clear understanding of what I'm talking about. I know what you're thinking, and I should have done this prior to the survey, however I didn't realize that what I considered to be a industry standard definition was not.

That is why I asked questions like, "Is Denial of Service a Vulnerability?" Some said 'no', it's a packet flood and that isn't a vulnerability. Many said 'sometimes', with the logic that some times it's taking advantage of a vulnerability and other times it's a simple packet flood. Personally, I like 'sometimes' as the answer to this question, although the comment that I'd add would be that I consider the majority of DoS to be a vulnerability (in other words, 'sometimes' doesn't need to be a 50/50 split). The answer however, may depend on where you sit within IT/IS or perhaps where you sit within your organization.

I see a vulnerability as any weakness, within reason, that leaves you vulnerable. Some see a vulnerability as a coding flaw or poor protocol implementation, while others see a configuration option as a vulnerability. I've been told that a null pointer dereference shouldn't be labeled as a 'critical vulnerability' but we've all seen what Mark Dowd can do with one. I guess my point is that no answers were cut and dry, that's why I left the ability to comment on the majority of the questions.

So back to my point... my goal was to find out what everyone thought Denial of Service meant, and when they felt the label "Denial of Service" applied. Is a web server crashing on a malformed HTTP request a DoS? If it is, then is a web browser crashing on a malformed HTTP response also a DoS? The opinions on answering this can be quite varied, and in writing this I believe I just talked myself into a third post... a follow up with my commentary to the survey data, especially to this point as the answer really intrigues me. That being said, I invite everyone to comment on this point in particular (of course I always welcome comments on everything).  Whether it's a comment below this post, or a blog post of your own... I would love to see full responses (in greater detail than the survey could have possibly allowed for) to those two questions.

I have theories and thoughts that I will expand on as well, as I explore this series (I believe I've just through of a fourth post now)... but up next will be the survey results. I just wanted to be sure that everyone had an understanding of the difference between DoS and DDoS, and that it was understood, or at very least understood that I feel, that a DoS is more than a simple packet flood.

DVL 1.5 is out, and I have mirrored it again.

There is also a call out for people to create training materials, so if you can, swing by the DVL forums and volunteer to make a video or two. However, I'm unsure of where to find the forums (there's no link on the main page and I'm not a user). Please share a link if you know how to get to them.

This isn't all the site will be though. Expect to see future discussions on our reasoning for the gallery, as well as tips and tricks and anything else.

We've already added two additional contributors. Jay Graver and Romain Gaucher.