On Sun, Jul 01, 2001 at 05:34:06PM -0400, Christopher L. Morrow wrote:
A brief overview of the method would be: "Track the attack from the after effect of the attack, not the attack itself"
Hrm interesting combination of two different techniques... Your border filter method is more commonly done with a community tag which triggers the route-map setting nexthop to a null routed IP block. You can even allow your customers to null route their own IP space within your network without them having to get in touch with your security people. The "backskatter" you are monitoring makes a nice hack for gathering information from many routers which don't support this kind of intelligent mass-management on their own. You could also setup a dedicated sniffing machine or machines and alter the nexthop to route the original DoS their way, if you want to find out details of the attack. It would also be interesting, especially on a UU scale, to do statistical sampling of backskatter generated by the victim instead of that generated by your routers. I'd also be interested in seeing someone setup a global realtime backskatter analysis just for a kind of "DoS weather report". Of course you should probably mention the only global analysis of spoofed attacks by the replies generated to their attacks I am aware of, at: http://www.caida.org/outreach/papers/backscatter/index.xml If you provided a customer community tag so your clued victims could do it theirselves, you could automatically monitor the ICMP Unreachables and already have a list of the ingress interfaces ready without any human interaction, kindof like the Call Trace functionality for phones which records the information for easy processing if charges are filed. If enough other networks did this you could probably stand a half decent chance of catching an attack that is shorter then the "few hours" normally required to get interprovider cooperation. If you really wanted to get nuts, this could fairly easily be packaged up into a program which runs on a unix machine and automatically cooperates with other providers running this service to trace spoofed attacks back to their source. Of course this is all a nasty hack around the lack of a protocol for communicating traceback and source-filtering information directly between routers, but I suspect this method would be a lot easier to actually get written, deployed, and used because of layer 8. -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)