Lots of NSPs and ISPs are tracking customer utilization of links, either by MRTG or RRD ... .and many of them bill by utilization using these or other SNMP-based tools. It should be trivial, during a DDoS attack of the scale that took down Yahoo, to find participating sites. A jump from normal utilization to 100% link utilization should be easily noticible if it lasts more than 15 minutes (3 polling intervals, if you are doing it at 5 minutes). It seems to me that a customer would be more than willing to have a rate-limit or filter installed on their routers during this kind of event, especially if it helps them track down the compromised machine. Host-by-host prevention, during an attack, should be very easy ... assuming a minimal amount of cooperation between upstream provider and compromised network, if link utilization is tracked and the spike is noticible. Perhaps we should be notifying operations staff to be on the lookout for suddenly saturated circuits, and to be prepared to help out owners of compromised hosts with filter configuration? Just a thought. -------------------------------------------- Travis Pugh Sr. Network Engineer tpugh@shore.net Shore.net -------------------------------------------- On Wed, 9 Feb 2000 lucifer@lightbearer.com wrote:
One hard, solid data point:
I was talking to a friend who is a part-time SA on a box colocated at his place of business (behind a 2xT1) which he found out was participating in the attack.
He found this out when the links suddenly spiked through the roof and his ethernet switch lit up with a nice, solid traffic light. The only reason he spotted it? He was at work at the time. Had it occured at night, it's quite probably that nobody would have noticed, given how rarely they check the traffic stats (since it doesn't really matter to them until the traffic is pushing their ability to carry it).
*************************************************************************** Joel Baker System Administrator - lightbearer.com lucifer@lightbearer.com http://www.lightbearer.com/~lucifer KF6WAY (Tech) - 146.475 MHz (FM/Phone)