[27262] in North American Network Operators' Group
Re: Yahoo! Lessons Learned
daemon@ATHENA.MIT.EDU (Sean Donelan)
Thu Feb 10 16:43:57 2000
Date: 10 Feb 2000 13:36:43 -0800
Message-ID: <20000210213643.21386.cpmta@c004.sfo.cp.net>
Content-Type: text/plain
Content-Disposition: inline
Mime-Version: 1.0
To: wrath@cs.umbc.edu
From: Sean Donelan <sean@donelan.com>
Cc: nanog@merit.edu
Errors-To: owner-nanog-outgoing@merit.edu
On Thu, 10 February 2000, Vijay Gill wrote:
> Of course, given that we can get netflow type packet histories, plotting
> the src/dest pairs for a while and then if there is a _large_ change (some
> n std dev) from the norm for some particular dst (nominally the one under
> attack), and then raising an alarm on that router/pipe, would make it
> trivial to trace these type of attacks. With history storage, it would
> make it easier to trace back after the fact.
I've wondered what type of statistical sampling could be used to find these
attacks, but not require huge amounts of storage. The theory is these are
very large traffic flows which congest the pipe and push other traffic out
of the way. If you sample 1% of the traffic, and 99% of the sample is the
same src/dest pair, something may be fishy.
