North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Access to the Internic Blocked

  • From: Daniel W. McRobb
  • Date: Sun Aug 25 21:41:08 1996
  • Company: ANS
  • Location: ANS Network Services, Ann Arbor, MI
  • Position: Staff Engineer

> Curtis Villamizar <[email protected]> wrote:
> >We have traced back such "clever" denial of service attacks before.
> >Within the last 6 months even.
> >Have you forgotten that we log and keep track of source/destination
> >pairs.
> I sincerely wish you good luck doing that at OC-12.   If you know
> a magic technology which can do that please let me know.
> Doing that at 10 kpps is not going to be a solution any time soon.

You're kidding, right?  10kpps has been doable (and done) for years.
Did you forget a zero or two?

The vBNS folks are about to release an OC-3 header sniffer that runs on
a Pentium box.  Rumor has it that it'll handle OC-12 as well.  There's a
presentation of it on the USENIX agenda.

> I would also wish you luck with logging SA/DA pairs at places like
> .ICP.NET. where source/destination matrix is about 1-2 millon
> entries long.

1-2 million is not much.  Even in the NSFNET days, I worked w/
5-million-cell net matrices.  All it takes is memory and some CPU.

> >It is really easy for us to spot in incoming path with a set
> >of sources that were never coming from that direction and start
> >working backwards.
> Yeah?  Over six backbones?

To the edge of our backbone, absolutely.  In someone else's backbone?
Of course not.

> >Other respectable providers cooperate.  Nearnet
> >for example flew out a person and workstation to track an attack
> >coming through them.
> Cool.  Now, if such a bogon generator becomes someting easily
> accessible to every newbie (as it is bound to become, sooner or
> later), that certainly will help.
> >We have Unix boxes deployed in every POP, even
> >with our new backbone.  These watch over the FDDI rings.
> That certainly helps to people who already have to use FDDI switches.

We're not sniffing a shared FDDI ring w/ these UNIX boxes.  They get
data from the routers.  It doesn't matter what kind of media the packet
traversed to hit the router (switched FDDI included).

- - - - - - - - - - - - - - - - -