[31984] in North American Network Operators' Group
Re: DoS attacks, NSPs unresponsiveness
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Thu Nov 2 16:12:22 2000
Message-Id: <200011022110.eA2LAH615916@black-ice.cc.vt.edu>
To: Alexei Roudnev <alex@relcom.net>
Cc: nanog@merit.edu
In-Reply-To: Your message of "Thu, 02 Nov 2000 12:28:19 PST."
<006401c0450b$70ad0d40$b608a8c0@genesyslab.com>
From: Valdis.Kletnieks@vt.edu
Mime-Version: 1.0
Content-Type: multipart/signed; boundary="==_Exmh_-1273450896P";
micalg=pgp-sha1; protocol="application/pgp-signature"
Content-Transfer-Encoding: 7bit
Date: Thu, 02 Nov 2000 16:10:17 -0500
Errors-To: owner-nanog-outgoing@merit.edu
--==_Exmh_-1273450896P
Content-Type: text/plain; charset=us-ascii
On Thu, 02 Nov 2000 12:28:19 PST, Alexei Roudnev said:
> Just again - what's about an attempt to creta e ISP association which -
> - promise to do ingress filtering
It's already an IETF BCP, all clued ISP's should be doing it already - the
problem is the *unclued* ISPs, which will neither do ingress/egress
filtering, nor join any ISP association..
Hint: How many of those ISPs do we hear from on NANOG? ;)
> - promise to do active filtering
"active filtering" in what meaning? You have to be careful here, to
avoid a DOS attack by triggering active filtering...
> - promise to investigate any case
Would "investigate" include the form letter I send out whenever I get
a complaint that one of our NTP servers is trying to hack through somebody's
firewall on ports 13, 37, and 123?
Our CIRT is just basically 5-6 people who do security on top of everything
else. We have to perform triage - in the last week, we got the disk drive
of a compromised system into an evidence bag within 3 hours or so of
our first notification there was a problem. On the other hand, we most
certainly do *NOT* guarantee that level of response unless it's a very
high profile incident. I'm sure the situation is similar at every
other site out there....
--
Valdis Kletnieks
Operating Systems Analyst
Virginia Tech
--==_Exmh_-1273450896P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
Comment: Exmh version 2.2 06/16/2000
iQA/AwUBOgHYOHAt5Vm009ewEQLl4ACg9iQChiTonFjRE2glJdQz0k1aFpAAnRkl
QyJ1BdU15tu9vORWkszL0G/p
=+JhA
-----END PGP SIGNATURE-----
--==_Exmh_-1273450896P--
