[34130] in North American Network Operators' Group
Re: Proactive steps to prevent DDOS?
daemon@ATHENA.MIT.EDU (David Harmelin)
Mon Jan 29 10:05:31 2001
Message-Id: <4.2.2.20010129143303.00e12190@alpha.dante.org.uk>
Date: Mon, 29 Jan 2001 15:00:36 +0000
To: Jeff Ogden <jogden@merit.edu>, Hank Nussbacher <hank@att.net.il>
From: David Harmelin <david.harmelin@dante.org.uk>
Cc: nanog@merit.edu
In-Reply-To: <v04210102b69b20707984@[198.108.90.150]>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Errors-To: owner-nanog-outgoing@merit.edu
DANTE has also developped a tool made of in-house scripts, a database and
based on netflow exports, that detects more DoS attacks than manpower is
available to treat.
Still, it enables us to log, and treat, the major (long lasting, repeting,
extremely distributed, powerful, you name it) ones.
However, we have discovered the following interesting paradox:
- the most transit traffic a network carries, the most likely it will also
carry DoS attacks, the most DoS attacks will be noticed and the higher the
costs associated to DDoS will be
- once an attack is detected on a transit network, getting the correct
administration of the end sites to actually do something about it, is the
real problem, especially if those end sites are not direct peers (which,
for some major transit networks, is always the case).
As usual, it is enough one administration in the chain has not enough
manpower/does not understand the problem or ways to fix it/thinks the
problem is not worth fixing/has different priorities for DDoS compromised
hosts to remain compromised for months.
Its good to see the awareness is being raised recently, though.
DH.
At 08:47 AM 1/29/01 -0500, Jeff Ogden wrote:
>At 9:27 AM +0200 1/29/01, Hank Nussbacher wrote:
>>>At 12:52 27/01/01 -0500, Jeff Ogden wrote:
>>>--Look into the systems that are being developed and starting to become
>>> available that help automate the work to diagnose DDOS attacks.
>>> Encourage your up streams to do the same.
>>
>>I know of just Asta Networks:
>>Asta Networks claims cure for denial-of-service attacks, Jan 17, 2001
>>http://www.nwfusion.com/news/2001/0117ddos.html
>>Firm eyes DOS attacks, Jan 22, 2001
>>http://www.nwfusion.com/archive/2001/115979_01-22-2001.html
>>
>>Can you elaborate on others you may know?
>>
>>-Hank
>
>Yes, Asta is one.
>
>There is a DARPA funded research project called Lighthouse at the
>University of Michigan that is working in this area. Merit has been
>involved mostly by giving them access to traffic on a real operational
>network. See:
>
>
>http://www.darpa.mil/leaving.asp?url=http://www.eecs.umich.edu/lighthouse
>
>I understand that there are other DARPA funded efforts working on
>different aspects of the DOS problem (automatic detection, trace back,
>counter measures).
>
>Take a look at "Networking & Distributed Systems" under
>
> http://www.darpa.mil/ito/ResearchAreas.html
>
>In particular see:
>
> http://www.darpa.mil/ito/psum2000/J032-0.html
> http://www.darpa.mil/ito/psum2000/J910-0.html
> http://www.darpa.mil/ito/psum2000/J028-0.html
>
>
___________________________________________________________________
* * David Harmelin Network Engineer
* * DANCERT Representative
* Francis House
* 112 Hills Road Tel +44 1223 302992
* Cambridge CB2 1PQ Fax +44 1223 303005
D A N T E United Kingdom WWW http://www.dante.net
____________________________________________________________________
