On Jul 9, 14:21, Curtis Villamizar <curtis@ans.net> wrote:
The NSS routers allow us to do statistical sampling continuously and the occurance of a source address at an entry point where it does not usually enter can be detected and has in the past been used to followup these sort of attacks after the fact. Other routers are not capable of doing this but if the offense is repeated, successive monitoring can be set up until the source is isolated.
We have requested the same sort of statistical sampling from Cisco and Bay (and BNR/NSC). It is a long ways back on the development schedule
Maybe I'm missing something, but flow switching stats from Ciscos should do exactly this: SrcIf SrcIPaddress DstIf DstIPaddress Pr DstP SrcP Pkts B/Pk Active Se1/0 194.130.16.17 Se1/6 130.144.65.1 11 0035 0035 2 69 0.0 Et0/2 193.122.198.1 Se1/1 128.218.14.87 06 0050 0FA3 2 40 0.0 Se1/5 130.144.65.1 Se1/0 194.130.16.17 11 0035 0035 2 69 0.0 Se1/1 153.36.40.52 Et0/1 193.74.242.1 06 0413 0050 4 44 9.6 Se1/5 194.178.24.22 Se1/7 146.228.10.11 06 0407 0050 124 40 207.6 Se1/7 146.228.10.11 Se1/6 194.178.24.22 06 0050 0405 648 550 673.4 Se1/5 194.165.95.69 Se1/0 205.216.146.69 06 0430 0050 5 164 6.2 etc, etc. Dump, then grep. -- ------ ___ --- Per G. Bilse, Mgr Network Operations Ctr ----- / / / __ ___ _/_ ---- EUnet Communications Services B.V. ---- /--- / / / / /__/ / ----- Singel 540, 1017 AZ Amsterdam, NL --- /___ /__/ / / /__ / ------ tel: +31 20 6233803, fax: +31 20 6224657 --- ------- 24hr emergency number: +31 20 421 0865 --- Connecting Europe since 1982 --- http://www.EU.net e-mail: bilse@EU.net