On Thu, 10 February 2000, Alex Bligh wrote:

In the words of Mr Bush, I want something for clueful people to be able to type after "conf t". Asking people who probably aren't on this mailing list and almost certainly don't understand the problem to fix *their* network does not cut the mustard.

We need the ability to ask the routers to reverse traceroute a flow. This doesn't have anything to do with the way in which the traceroute utility uses UDP and ICMP packets to trace a route. Instead, it requires router vendors to add the ability to do one of these two things. Either identify the ingress interface of packets with a specific source IP address or identify the ingress interfaces and short term packet counts given a specific destination IP address. In this case, short term refers to a few seconds. If this capability is made available remotely in the same way that ICMP echo is available to anyone, then we can build tools which will track a packet stream back to the true source. In the case of using the destination address, this tool will need some heuristics to deal with multiple possible upstreams which could be caused by a DDoS or simply by making a bad guess about which traffic stream is the DoS stream. And in some circumstances it just won't be able to track it to the source. But, if we had a tool to track back DoS streams to an ingress router on the edge of a backbone operator's network, then we have some hard data to use to get the flow blocked. I know that right now, calling another operator's NOC to ask them to cooperate in damping an attack is not always effective. But the hard data is the first step. --- Michael Dillon Phone: +44 (20) 7769 8489 Mobile: +44 (79) 7099 2658 Director of Product Engineering, GTS IP Services 151 Shaftesbury Ave. London WC2H 8AL UK