nanog mailing list archives
Re: Ping flooding (fwd)
From: Curtis Villamizar <curtis () ans net>
Date: Tue, 09 Jul 1996 19:15:25 -0400
In message <199607091907.AA29463 () jotun EU net>, Per Gregers Bilse writes:
On Jul 9, 14:21, Curtis Villamizar <curtis () ans net> wrote:The NSS routers allow us to do statistical sampling continuously and the occurance of a source address at an entry point where it does not usually enter can be detected and has in the past been used to followup these sort of attacks after the fact. Other routers are not capable of doing this but if the offense is repeated, successive monitoring can be set up until the source is isolated. We have requested the same sort of statistical sampling from Cisco and Bay (and BNR/NSC). It is a long ways back on the development scheduleMaybe I'm missing something, but flow switching stats from Ciscos should do exactly this: SrcIf SrcIPaddress DstIf DstIPaddress Pr DstP SrcP Pkts B/Pk Active Se1/0 194.130.16.17 Se1/6 130.144.65.1 11 0035 0035 2 69 0.0 Et0/2 193.122.198.1 Se1/1 128.218.14.87 06 0050 0FA3 2 40 0.0 Se1/5 130.144.65.1 Se1/0 194.130.16.17 11 0035 0035 2 69 0.0 Se1/1 153.36.40.52 Et0/1 193.74.242.1 06 0413 0050 4 44 9.6 Se1/5 194.178.24.22 Se1/7 146.228.10.11 06 0407 0050 124 40 207.6 Se1/7 146.228.10.11 Se1/6 194.178.24.22 06 0050 0405 648 550 673.4 Se1/5 194.165.95.69 Se1/0 205.216.146.69 06 0430 0050 5 164 6.2 etc, etc. Dump, then grep. -- ------ ___ --- Per G. Bilse, Mgr Network Operations Ctr ----- / / / __ ___ _/_ ---- EUnet Communications Services B.V. ---- /--- / / / / /__/ / ----- Singel 540, 1017 AZ Amsterdam, NL --- /___ /__/ / / /__ / ------ tel: +31 20 6233803, fax: +31 20 6224657 --- ------- 24hr emergency number: +31 20 421 0865 --- Connecting Europe since 1982 --- http://www.EU.net e-mail: bilse () EU net
I have always been under the impression that Cisco flow switching and high performance were mutually exclusive if there were too many active flows as is the case for the major US ISPs at least. What the RS6000 does is the forwarding cards sample on in 50 packets, strip all but the headers, pack it into a buffer and send the buffers to the RS6000 processor for inclusion in histograms. We can come close to doing 1:1 sampling but not quite. The 1:50 has proven just fine for traffic management and also come in handy for tracking persistant source address spoofers back to the next provider. Another difference is with the flow switching, you need to catch them in the act. With the sampling and collection, you can call hours later (days or weeks actually, years if you count going to tape) and still determine the candidate entry points for the traffic. I don't think there is a practical way to get the same sort of historic archive from the flow switching stats. Curtis - - - - - - - - - - - - - - - - -
Current thread:
- Re: Ping flooding (fwd), (continued)
- Re: Ping flooding (fwd) Daniel W. McRobb (Jul 09)
- Re: Ping flooding (fwd) Per Gregers Bilse (Jul 09)
- Re: Ping flooding (fwd) Daniel W. McRobb (Jul 09)
- Re: Ping flooding (fwd) Per Gregers Bilse (Jul 09)
- Re: Ping flooding (fwd) Daniel W. McRobb (Jul 09)
- Re: Ping flooding (fwd) Per Gregers Bilse (Jul 10)
- Re: Ping flooding (fwd) John Hawkinson (Jul 10)
- Re: Ping flooding (fwd) Per Gregers Bilse (Jul 10)
- Re: Ping flooding (fwd) Daniel W. McRobb (Jul 09)
- Re: Ping flooding (fwd) Curtis Villamizar (Jul 09)
- Re: Ping flooding (fwd) Curtis Villamizar (Jul 09)
- Re: Ping flooding (fwd) Per Gregers Bilse (Jul 09)
- Re: Ping flooding (fwd) Dick St.Peters (Jul 09)
- Re: Ping flooding (fwd) Todd Graham Lewis (Jul 09)
- Re: Ping flooding (fwd) George Herbert (Jul 09)
- Re: Ping flooding (fwd) Forrest W. Christian (Jul 09)