[27614] in North American Network Operators' Group
Re: [long] Re: DDoS: CAR vs TCP-Intercept vs NetFlow
daemon@ATHENA.MIT.EDU (Paul Ferguson)
Mon Feb 28 23:34:02 2000
Message-Id: <4.2.2.20000228232841.00a33380@lint.cisco.com>
Date: Mon, 28 Feb 2000 23:31:32 -0500
To: Richard Steenbergen <ras@above.net>
From: Paul Ferguson <ferguson@cisco.com>
Cc: nanog@merit.edu
In-Reply-To: <20000228231513.V28385@above.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Errors-To: owner-nanog-outgoing@merit.edu
At 11:15 PM 02/28/2000 -0500, Richard Steenbergen wrote:
>Be careful with flow when dealing with random src or random dst (for
>example, an attack which elicits a victim system to send replies to random
>destinations) attacks, or it may not help you much (as the flow cache gets
>max'd).
Just like they say about vitamin fortified cereals, "it's in there".
The flow-switching creature features have enough functionality to
trace an attacker back to its source. Yes, its painful. Yes, it has
to be done in real-time. Yes, actually, it has been done before. No,
there is no other real way to do it.
People: Start source filtering so we can get beyond these inane
discussions.
- paul
