nanog mailing list archives
Re: Access to the Internic Blocked
From: "Daniel W. McRobb" <dwm () ans net>
Date: Sun, 25 Aug 1996 21:31:12 EDT
Curtis Villamizar <curtis () ans net> wrote:We have traced back such "clever" denial of service attacks before. Within the last 6 months even.Have you forgotten that we log and keep track of source/destination pairs.I sincerely wish you good luck doing that at OC-12. If you know a magic technology which can do that please let me know. Doing that at 10 kpps is not going to be a solution any time soon.
You're kidding, right? 10kpps has been doable (and done) for years. Did you forget a zero or two? The vBNS folks are about to release an OC-3 header sniffer that runs on a Pentium box. Rumor has it that it'll handle OC-12 as well. There's a presentation of it on the USENIX agenda.
I would also wish you luck with logging SA/DA pairs at places like .ICP.NET. where source/destination matrix is about 1-2 millon entries long.
1-2 million is not much. Even in the NSFNET days, I worked w/ 5-million-cell net matrices. All it takes is memory and some CPU.
It is really easy for us to spot in incoming path with a set of sources that were never coming from that direction and start working backwards.Yeah? Over six backbones?
To the edge of our backbone, absolutely. In someone else's backbone? Of course not.
Other respectable providers cooperate. Nearnet for example flew out a person and workstation to track an attack coming through them.Cool. Now, if such a bogon generator becomes someting easily accessible to every newbie (as it is bound to become, sooner or later), that certainly will help.We have Unix boxes deployed in every POP, even with our new backbone. These watch over the FDDI rings.That certainly helps to people who already have to use FDDI switches.
We're not sniffing a shared FDDI ring w/ these UNIX boxes. They get data from the routers. It doesn't matter what kind of media the packet traversed to hit the router (switched FDDI included). Daniel ~~~~~~ - - - - - - - - - - - - - - - - -
Current thread:
- Re: Access to the Internic Blocked, (continued)
- Re: Access to the Internic Blocked Vadim Antonov (Aug 22)
- Re: Access to the Internic Blocked Curtis Villamizar (Aug 22)
- Re: Access to the Internic Blocked Avi Freedman (Aug 23)
- Re: Access to the Internic Blocked Curtis Villamizar (Aug 23)
- Re: Access to the Internic Blocked Curtis Villamizar (Aug 22)
- Re: Access to the Internic Blocked Vadim Antonov (Aug 22)
- Re: Access to the Internic Blocked Vadim Antonov (Aug 22)
- Re: Access to the Internic Blocked Vadim Antonov (Aug 22)
- Re: Access to the Internic Blocked Michael Dillon (Aug 22)
- Re: Access to the Internic Blocked Curtis Villamizar (Aug 23)
- Re: Access to the Internic Blocked Vadim Antonov (Aug 23)
- Re: Access to the Internic Blocked Vadim Antonov (Aug 23)
- Re: Access to the Internic Blocked Daniel W. McRobb (Aug 25)
- Re: Access to the Internic Blocked Curtis Villamizar (Aug 26)
- Re: Access to the Internic Blocked Daniel W. McRobb (Aug 25)
- Re: Access to the Internic Blocked Mike Trest (Aug 23)
- Re: Access to the Internic Blocked Jim Hughes (Aug 28)
- Re: Access to the Internic Blocked Hank Nussbacher (Aug 24)
- Re: Access to the Internic Blocked Sean Doran (Aug 25)
- Re: Access to the Internic Blocked Vadim Antonov (Aug 25)
- Re: Access to the Internic Blocked Daniel W. McRobb (Aug 26)
- Re: Access to the Internic Blocked Vadim Antonov (Aug 26)
- Re: Access to the Internic Blocked Daniel W. McRobb (Aug 31)