Disarming offense to facilitate defense

Computer security has traditionally focused on system de- fense, concentrating on protection and recovery of victim machines. Moving from the opposite perspective, we pro- pose a complementary approach that focuses on limiting the attacking capabilities of the hosts. Software design and implementation weaknesses usually are at the basis of com- puter offensive capacities. Since software redesign or patch- ing on an extensive basis is not possible, we propose the adoption of a filtering strategy to block abuse attempts at the originating machines. As an example, applications of such an approach axe presented at host level, in order to prevent root compromise attacks, and at network level, in order to prevent DoS attacks, among others. The proposed solution is not a silver bullet and could be bypassed by sophisticated users. However, we believe it can effectively restrain the offensive capabilities of hosts that could be easily seized by crackers. We discuss the pros and cons of the proposed solution and present an application to host and network security.