[191762] in North American Network Operators' Group
Re: Krebs on Security booted off Akamai network after DDoS attack
daemon@ATHENA.MIT.EDU (Christopher Morrow)
Mon Sep 26 19:58:56 2016
X-Original-To: nanog@nanog.org
In-Reply-To: <20160926234939.B1961551553A@rock.dv.isc.org>
From: Christopher Morrow <morrowc.lists@gmail.com>
Date: Mon, 26 Sep 2016 19:58:51 -0400
To: Mark Andrews <marka@isc.org>
Cc: John Levine <johnl@iecc.com>, "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Mon, Sep 26, 2016 at 7:49 PM, Mark Andrews <marka@isc.org> wrote:
>
> Giving them real time access to the anomalous traffic log feed for
> their residence would also help. They or the specialist they bring
> in will be able to use that to trace back the problem.
>
>
wouldn't this work better as a standard bit of CPE software capability?
wouldn't something as simple as netflow/sflow/ipfix synthesized on the CPE
and kept for ~30mins (just guessing) in a circular buffer be 'good enough'
to present a pretty clear UI to the user?
ip/mac/vendor sending (webtraffic|email|probes) to destination-name
[checkbox]
<repeat>
select those youd' like to block [clickhere]
This really doesn't seem hard, to present in a fairly straight forward
manner... sure 'all cpe' (or 'a bunch of cpe') have to adopt something
similar to this approach... but on the other hand:
"At least my ISP isn't snooping on all my traffic"
