Curtis Villamizar <curtis@ans.net> wrote:
We have traced back such "clever" denial of service attacks before. Within the last 6 months even.
Have you forgotten that we log and keep track of source/destination pairs.
I sincerely wish you good luck doing that at OC-12. If you know a magic technology which can do that please let me know. Doing that at 10 kpps is not going to be a solution any time soon.
You're kidding, right? 10kpps has been doable (and done) for years. Did you forget a zero or two? The vBNS folks are about to release an OC-3 header sniffer that runs on a Pentium box. Rumor has it that it'll handle OC-12 as well. There's a presentation of it on the USENIX agenda.
I would also wish you luck with logging SA/DA pairs at places like .ICP.NET. where source/destination matrix is about 1-2 millon entries long.
1-2 million is not much. Even in the NSFNET days, I worked w/ 5-million-cell net matrices. All it takes is memory and some CPU.
It is really easy for us to spot in incoming path with a set of sources that were never coming from that direction and start working backwards.
Yeah? Over six backbones?
To the edge of our backbone, absolutely. In someone else's backbone? Of course not.
Other respectable providers cooperate. Nearnet for example flew out a person and workstation to track an attack coming through them.
Cool. Now, if such a bogon generator becomes someting easily accessible to every newbie (as it is bound to become, sooner or later), that certainly will help.
We have Unix boxes deployed in every POP, even with our new backbone. These watch over the FDDI rings.
That certainly helps to people who already have to use FDDI switches.
We're not sniffing a shared FDDI ring w/ these UNIX boxes. They get data from the routers. It doesn't matter what kind of media the packet traversed to hit the router (switched FDDI included). Daniel ~~~~~~