(not sure if this has been posted yet, sorry if so) new relevant paper worth checking out by stefan savage et al (david, ann, tom, all UW) disclaimer, these folks just at the "explore the problem" stage and not the "propose a complete implementation now" stage. but exploring the problem is good From Stefan: On Thu, Feb 10, 2000 at 05:14:56PM -0800, Stefan Savage wrote: Hi KC, We've been doing some work on efficient network support for tracing denial-of-service attacks and all of a sudden the topic has some relevance (a strange experience as a researcher ;-). Anyway, this seemed like a good time to introduce our work and try to get some feedback on it. We've put a copy of our paper at: http://www.cs.washington.edu/homes/savage/traceback.html If you have a moment, we'd definitely appreciate any comments you might have. We're also especially interested in getting feedback from the ISP operations community and from equipment vendors, so please feel free to forward this to anyone you think might be interested. Thanks! - Stefan <savage@cs.washington.edu>, coauthor david wetherall <djw@cs.washington.edu> (and anna and tom) speaking of non-panaceas, brett mentioned caida passive monitoring for security. lemme clarify, coralreef has some bits that can detect port-scanning and then auto-trigger full framed collection on specific filter http://www.caida.org/Tools/CoralReef/ but it's quite different animal from traceback eg., what rstone's centertrack trying to do http://www.nanog.org/mtg-9910/robert.html (not sure where that stands wrt deployment) or what ddrew's cisco-based DOStracker did for what's.now.cw.net brettw also said if we installed passive monitors on IX links between providers, we might be able to do some interesting security traces. reckon you[pl.]'d have to install a lot of them and some facility for correlating among them (and at least coral doesn't have any of that yet, nor any kind of auto-paging when something looks suspicious) again, nothing money & hardware & code & a NOC contact list can't heavily dent in a year or 2 if folks wanted it badly enough. and with other positive benefits to boot. (in case folks think the malice of undersocial teenagers is the biggest threat we face...)