Anyone find it interesting that all the big name sites are getting hit except AOL? Makes you wonder.... Jim Williams Ntrnet Systems, Inc. President/CEO Research Triangle Park, NC jaw12@ntrnet.net (919)484-0504 fax(919)484-0782 On Thu, 10 Feb 2000, Christopher B. Zydel wrote:
On Wed, Feb 09, 2000 at 03:51:45PM -0500, Travis Pugh wrote:
Host-by-host prevention, during an attack, should be very easy ... assuming a minimal amount of cooperation between upstream provider and compromised network, if link utilization is tracked and the spike is noticible. Perhaps we should be notifying operations staff to be on the lookout for suddenly saturated circuits, and to be prepared to help out owners of compromised hosts with filter configuration?
This sort of alarming is fairly trivial. Just about any network management system can be configured to poll interface counters on a regular basis and alarm when some threshold is reached. The difficult question to answer is "How long should the link be saturated before sending an alarm". With high speed links this is a lot easier. It's relatively easy to saturate a T1 with a file transfer, however the same would not be true for an OC-3c. This type of alarming should be based upon deviation from the established mean as well. (For example, if a circuit sees around 50mbit/sec worth of usage on a regular basis, and then spikes to 130mbit/sec and stays there, something is clearly wrong)
/cbz