[191781] in North American Network Operators' Group
Re: Krebs on Security booted off Akamai network after DDoS attack
daemon@ATHENA.MIT.EDU (Jared Mauch)
Tue Sep 27 08:20:27 2016
X-Original-To: nanog@nanog.org
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <CAL9jLaZNBP9GWFzHnB1AGG8MRnK3dH=qeQb_KeigKc198zDaJw@mail.gmail.com>
Date: Tue, 27 Sep 2016 08:20:22 -0400
To: Christopher Morrow <morrowc.lists@gmail.com>
Cc: John Levine <johnl@iecc.com>, "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
> On Sep 26, 2016, at 7:58 PM, Christopher Morrow =
<morrowc.lists@gmail.com> wrote:
>=20
> On Mon, Sep 26, 2016 at 7:49 PM, Mark Andrews <marka@isc.org> wrote:
>=20
>>=20
>> Giving them real time access to the anomalous traffic log feed for
>> their residence would also help. They or the specialist they bring
>> in will be able to use that to trace back the problem.
>>=20
>>=20
> wouldn't this work better as a standard bit of CPE software =
capability?
> wouldn't something as simple as netflow/sflow/ipfix synthesized on the =
CPE
> and kept for ~30mins (just guessing) in a circular buffer be 'good =
enough'
> to present a pretty clear UI to the user?
>=20
> ip/mac/vendor sending (webtraffic|email|probes) to destination-name
> [checkbox]
> <repeat>
>=20
>=20
> select those youd' like to block [clickhere]
>=20
> This really doesn't seem hard, to present in a fairly straight forward
> manner... sure 'all cpe' (or 'a bunch of cpe') have to adopt something
> similar to this approach... but on the other hand:
> "At least my ISP isn't snooping on all my traffic"
The UBNT Edgerouter series has this. You can get fancy graphs and =
application
breakdown.
Scroll down and check the images:
=
https://help.ubnt.com/hc/en-us/articles/204951104-EdgeMAX-Deep-Packet-Insp=
ection-Engine-for-EdgeRouter
You can see the hosts that are doing traffic and the destinations.
They even have a model that takes a SFP so you can use it as CPE for =
FTTH.
- Jared=
