[110944] in North American Network Operators' Group
Re: Are we really this helpless? (Re: isprime DOS in progress)
daemon@ATHENA.MIT.EDU (Christopher Morrow)
Fri Jan 23 23:10:44 2009
In-Reply-To: <80022.1232767919@turing-police.cc.vt.edu>
Date: Fri, 23 Jan 2009 23:10:38 -0500
From: Christopher Morrow <morrowc.lists@gmail.com>
To: Valdis.Kletnieks@vt.edu
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
On Fri, Jan 23, 2009 at 10:31 PM, <Valdis.Kletnieks@vt.edu> wrote:
> On Fri, 23 Jan 2009 18:33:14 PST, Seth Mattinen said:
>
>> Back to my original question: is there really not a better solution?
>
> Well, we *could* hunt down the perpetrators, pool some $$, and hire 3 or 4
> baseball-bat wielding professional explainers to go explain our position to
> them. Figuring out how to do so without breaking any laws is the tough part...
Step one, find a device on your netowrk seeing the traffic
step two, follow the stream(s) of traffic back to its ingress
(hopefully a customer link on your network)
step three, watch for associated traffic to the source of the dns
queries, correlate this with other sources on your network to
find/identify the control point for this effort.
-chris
