On Thu, 10 Feb 2000, NANOG Mailing List wrote:
WEB wrote: packet trace on routers passing giabits of traffic every second without killing the router/network and actually get usefull information out of it?
You bridge another device in line and have THAT device collect your data. Not as trivial for OCx connected routers but still possible.
John Fraizer
Any monetary considerations applied to this or not? OC-192c line cards cost money. The trivial answer is that DDoS attacks cost money as well, but there is a cost/benefit analysis to be done here. Would that money be better spent elsewhere? At OC-192c for typical streams and a large sized network, the data collection alone becomes a nearly insurmountable issue. Think 48 or more 192c's in a hub, think 100 hubs. Assuming you can throw out the non customer links, you're still around 2400 or so bridged OC-192c's, with data polling/netflow type stats. Not a pretty picture. Of course, given that we can get netflow type packet histories, plotting the src/dest pairs for a while and then if there is a _large_ change (some n std dev) from the norm for some particular dst (nominally the one under attack), and then raising an alarm on that router/pipe, would make it trivial to trace these type of attacks. With history storage, it would make it easier to trace back after the fact. The problem is, the amount of data storage. I think it was Dr. Li who said "you can move the bits or you can count the bits" /vijay