DANTE has also developped a tool made of in-house scripts, a database and based on netflow exports, that detects more DoS attacks than manpower is available to treat. Still, it enables us to log, and treat, the major (long lasting, repeting, extremely distributed, powerful, you name it) ones. However, we have discovered the following interesting paradox: - the most transit traffic a network carries, the most likely it will also carry DoS attacks, the most DoS attacks will be noticed and the higher the costs associated to DDoS will be - once an attack is detected on a transit network, getting the correct administration of the end sites to actually do something about it, is the real problem, especially if those end sites are not direct peers (which, for some major transit networks, is always the case). As usual, it is enough one administration in the chain has not enough manpower/does not understand the problem or ways to fix it/thinks the problem is not worth fixing/has different priorities for DDoS compromised hosts to remain compromised for months. Its good to see the awareness is being raised recently, though. DH. At 08:47 AM 1/29/01 -0500, Jeff Ogden wrote:
At 9:27 AM +0200 1/29/01, Hank Nussbacher wrote:
At 12:52 27/01/01 -0500, Jeff Ogden wrote: --Look into the systems that are being developed and starting to become available that help automate the work to diagnose DDOS attacks. Encourage your up streams to do the same.
I know of just Asta Networks: Asta Networks claims cure for denial-of-service attacks, Jan 17, 2001 http://www.nwfusion.com/news/2001/0117ddos.html Firm eyes DOS attacks, Jan 22, 2001 http://www.nwfusion.com/archive/2001/115979_01-22-2001.html
Can you elaborate on others you may know?
-Hank
Yes, Asta is one.
There is a DARPA funded research project called Lighthouse at the University of Michigan that is working in this area. Merit has been involved mostly by giving them access to traffic on a real operational network. See:
http://www.darpa.mil/leaving.asp?url=http://www.eecs.umich.edu/lighthouse
I understand that there are other DARPA funded efforts working on different aspects of the DOS problem (automatic detection, trace back, counter measures).
Take a look at "Networking & Distributed Systems" under
http://www.darpa.mil/ito/ResearchAreas.html
In particular see:
http://www.darpa.mil/ito/psum2000/J032-0.html http://www.darpa.mil/ito/psum2000/J910-0.html http://www.darpa.mil/ito/psum2000/J028-0.html
___________________________________________________________________ * * David Harmelin Network Engineer * * DANCERT Representative * Francis House * 112 Hills Road Tel +44 1223 302992 * Cambridge CB2 1PQ Fax +44 1223 303005 D A N T E United Kingdom WWW http://www.dante.net ____________________________________________________________________