|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Yahoo offline because of attack (was: Yahoo network outage)
On Wed, Feb 09, 2000 at 03:51:45PM -0500, Travis Pugh wrote: > Host-by-host prevention, during an attack, should be very easy > ... assuming a minimal amount of cooperation between upstream provider and > compromised network, if link utilization is tracked and the spike is > noticible. Perhaps we should be notifying operations staff to be on the > lookout for suddenly saturated circuits, and to be prepared to help out > owners of compromised hosts with filter configuration? This sort of alarming is fairly trivial. Just about any network management system can be configured to poll interface counters on a regular basis and alarm when some threshold is reached. The difficult question to answer is "How long should the link be saturated before sending an alarm". With high speed links this is a lot easier. It's relatively easy to saturate a T1 with a file transfer, however the same would not be true for an OC-3c. This type of alarming should be based upon deviation from the established mean as well. (For example, if a circuit sees around 50mbit/sec worth of usage on a regular basis, and then spikes to 130mbit/sec and stays there, something is clearly wrong) /cbz
|