[27374] in North American Network Operators' Group
!white.house, !panacea, new traceback paper from stefan savage
daemon@ATHENA.MIT.EDU (k claffy)
Mon Feb 14 15:56:50 2000
Date: Mon, 14 Feb 2000 12:54:50 -0800
From: k claffy <kc@caida.org>
To: nanog@merit.edu
Cc: Stefan Savage <savage@cs.washington.edu>,
david wetherall <djw@cs.washington.edu>, coral-dev@caida.org
Message-ID: <20000214125449.A18216@caida.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Errors-To: owner-nanog-outgoing@merit.edu
(not sure if this has been posted yet, sorry if so)
new relevant paper worth checking out by stefan savage et al
(david, ann, tom, all UW)
disclaimer, these folks just at the "explore the problem" stage
and not the "propose a complete implementation now" stage.
but exploring the problem
is good
From Stefan:
On Thu, Feb 10, 2000 at 05:14:56PM -0800, Stefan Savage wrote:
Hi KC,
We've been doing some work on efficient network support
for tracing denial-of-service attacks and all of a sudden
the topic has some relevance (a strange experience as
a researcher ;-). Anyway, this seemed like a good time
to introduce our work and try to get some feedback on it.
We've put a copy of our paper at:
http://www.cs.washington.edu/homes/savage/traceback.html
If you have a moment, we'd definitely appreciate any comments
you might have. We're also especially interested in getting
feedback from the ISP operations community and from equipment
vendors, so please feel free to forward this to anyone you
think might be interested. Thanks!
- Stefan
<savage@cs.washington.edu>,
coauthor david wetherall <djw@cs.washington.edu>
(and anna and tom)
speaking of non-panaceas,
brett mentioned caida passive monitoring for security.
lemme clarify,
coralreef has some bits that can detect port-scanning and
then auto-trigger full framed collection on specific filter
http://www.caida.org/Tools/CoralReef/
but it's quite different animal from traceback
eg., what rstone's centertrack trying to do
http://www.nanog.org/mtg-9910/robert.html
(not sure where that stands wrt deployment)
or what ddrew's cisco-based DOStracker did for what's.now.cw.net
brettw also said
if we installed passive monitors on IX links between providers, we
might be able to do some interesting security traces.
reckon you[pl.]'d have to install a lot of them
and some facility for correlating among them
(and at least coral doesn't have any of that yet,
nor any kind of auto-paging when something looks suspicious)
again, nothing money & hardware & code & a NOC contact list
can't heavily dent in a year or 2 if folks wanted it badly enough.
and with other positive benefits to boot.
(in case folks think the malice of undersocial teenagers
is the biggest threat we face...)
