North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Proactive steps to prevent DDOS?

  • From: David Harmelin
  • Date: Mon Jan 29 10:08:09 2001

DANTE has also developped a tool made of in-house scripts, a database and based on netflow exports, that detects more DoS attacks than manpower is available to treat.

Still, it enables us to log, and treat, the major (long lasting, repeting, extremely distributed, powerful, you name it) ones.

However, we have discovered the following interesting paradox:
- the most transit traffic a network carries, the most likely it will also carry DoS attacks, the most DoS attacks will be noticed and the higher the costs associated to DDoS will be
- once an attack is detected on a transit network, getting the correct administration of the end sites to actually do something about it, is the real problem, especially if those end sites are not direct peers (which, for some major transit networks, is always the case).

As usual, it is enough one administration in the chain has not enough manpower/does not understand the problem or ways to fix it/thinks the problem is not worth fixing/has different priorities for DDoS compromised hosts to remain compromised for months.

Its good to see the awareness is being raised recently, though.

DH.

At 08:47 AM 1/29/01 -0500, Jeff Ogden wrote:


At 9:27 AM +0200 1/29/01, Hank Nussbacher wrote:

At 12:52 27/01/01 -0500, Jeff Ogden wrote:
--Look into the systems that are being developed and starting to become
  available that help automate the work to diagnose DDOS attacks.
  Encourage your up streams to do the same.

I know of just Asta Networks:
Asta Networks claims cure for denial-of-service attacks, Jan 17, 2001
http://www.nwfusion.com/news/2001/0117ddos.html
Firm eyes DOS attacks, Jan 22, 2001
http://www.nwfusion.com/archive/2001/115979_01-22-2001.html

Can you elaborate on others you may know?

-Hank
Yes, Asta is one.

There is a DARPA funded research project called Lighthouse at the University of Michigan that is working in this area. Merit has been involved mostly by giving them access to traffic on a real operational network. See:


http://www.darpa.mil/leaving.asp?url=http://www.eecs.umich.edu/lighthouse

I understand that there are other DARPA funded efforts working on different aspects of the DOS problem (automatic detection, trace back, counter measures).

Take a look at "Networking & Distributed Systems" under

http://www.darpa.mil/ito/ResearchAreas.html

In particular see:

http://www.darpa.mil/ito/psum2000/J032-0.html
http://www.darpa.mil/ito/psum2000/J910-0.html
http://www.darpa.mil/ito/psum2000/J028-0.html


___________________________________________________________________
            * *         David Harmelin  	Network Engineer
          *     *				DANCERT Representative
         *              Francis House
        *               112 Hills Road       Tel +44 1223 302992
        *               Cambridge CB2 1PQ    Fax +44 1223 303005
     D  A  N  T  E      United Kingdom       WWW http://www.dante.net
____________________________________________________________________