[27226] in North American Network Operators' Group
Re: NANOG meeting subject of attack? Hmmmm....
daemon@ATHENA.MIT.EDU (Hank Nussbacher)
Thu Feb 10 03:48:29 2000
Message-Id: <3.0.5.32.20000210103652.00804730@max.ibm.net.il>
Date: Thu, 10 Feb 2000 10:36:52 +0200
To: Travis Pugh <tpugh@shore.net>, Joe Shaw <jshaw@insync.net>
From: Hank Nussbacher <hank@att.net.il>
Cc: nanog@merit.edu
In-Reply-To: <Pine.GSO.4.21.0002091942060.26417-100000@cider.ecosoft.com
>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Errors-To: owner-nanog-outgoing@merit.edu
At 20:21 09/02/00 -0500, Travis Pugh wrote:
Interesting and may have nothing to do with it, but:
http://moat.nlanr.net/TopThroughput/
Starting at 2/2/2000, I have seen the top 100 Internet-2 flows to be
significantly higher than a month ago.
I would also look at vBNS:
http://www.vbns.net/stats/flows/data/results/hibw/
Feel free to do the analysis and see if anything of interest turns up.
Regards,
Hank
>
>
>On the subject of cooperation, has anyone set out to catalog where these
>attacks are coming from, at least in terms of compromised networks, and
>share said information? I know similar catalogs sprang up in response to
>smurfs ... is it time to start listing offending networks? Even better,
>does anyone know if the attacks are using something like TFN2K and using
>dummy addresses to obfuscate real attacking hosts?
>
>I see a lot of talk of attacked sites putting up router filters to
>stop attacks. Can anyone who knows let the rest of us in on what was
>filtered ... was Yahoo taken down with a flood of HTTP GETs, ICMP, UDP,
>SYN floods, or what? If this is a DDoS, the attack could probably be
>fingerprinted ... this would be very useful information if we are going
>to see more tomorrow. Do we know if the source addys are spoofed, and if
>an attacker could turn off spoofing, revealing the source of the traffic
>but getting around some filtering?
>
>I am making the assumption that the last three days' attacks were caused
>by the same person or persons. But the intent is the same regardless
>... we can all go back and forth on NANOG about what might be happening,
>and wait for the feds to chase down the attacker(s), or people who have
>been attacked or might be attacked can compare notes and try to get an
>idea of where the attacks are coming from and exactly what they are.
>
>Any relevant info would be appreciated. Nobody knows who is next.
>
>-travis
>
>
>On Wed, 9 Feb 2000, Joe Shaw wrote:
>
>>
>>
>> Make it a law, and they will. But I don't think laws are the answer
>> to cooperation. The Tier1's should take the time to work together on
>> their own before they are forced to in a way they may not like.
>>
>> --
>> Joseph W. Shaw - jshaw@insync.net
>> Computer Security Consultant and Programmer
>> Free UNIX advocate - "I hack, therefore I am."
>>
>> On Wed, 9 Feb 2000, Henry R. Linneweh wrote:
>>
>> > they should be made to co-operate with the backbone provider and not have
>> > much choice in the matter.
>>
>>
>>
>
>
>
