[27196] in North American Network Operators' Group
Re: Yahoo offline because of attack (was: Yahoo network outage)
daemon@ATHENA.MIT.EDU (Jim Williams)
Thu Feb 10 00:11:22 2000
Date: Thu, 10 Feb 2000 00:02:08 -0500 (EST)
From: Jim Williams <jaw12@ntrnet.net>
To: "Christopher B. Zydel" <czydel@aralan.net>
Cc: nanog@merit.edu
In-Reply-To: <20000210000024.B20557@ares.aralan.net>
Message-ID: <Pine.LNX.4.10.10002100001280.5784-100000@shell.ntrnet.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Errors-To: owner-nanog-outgoing@merit.edu
Anyone find it interesting that all the big name sites are getting hit
except AOL? Makes you wonder....
Jim Williams Ntrnet Systems, Inc.
President/CEO Research Triangle Park, NC
jaw12@ntrnet.net (919)484-0504 fax(919)484-0782
On Thu, 10 Feb 2000, Christopher B. Zydel wrote:
>
> On Wed, Feb 09, 2000 at 03:51:45PM -0500, Travis Pugh wrote:
> > Host-by-host prevention, during an attack, should be very easy
> > ... assuming a minimal amount of cooperation between upstream provider and
> > compromised network, if link utilization is tracked and the spike is
> > noticible. Perhaps we should be notifying operations staff to be on the
> > lookout for suddenly saturated circuits, and to be prepared to help out
> > owners of compromised hosts with filter configuration?
>
> This sort of alarming is fairly trivial. Just about any network management
> system can be configured to poll interface counters on a regular basis and
> alarm when some threshold is reached. The difficult question to answer is
> "How long should the link be saturated before sending an alarm". With high
> speed links this is a lot easier. It's relatively easy to saturate a T1
> with a file transfer, however the same would not be true for an OC-3c.
> This type of alarming should be based upon deviation from the established
> mean as well. (For example, if a circuit sees around 50mbit/sec worth of
> usage on a regular basis, and then spikes to 130mbit/sec and stays there,
> something is clearly wrong)
>
> /cbz
>
>
