[3883] in North American Network Operators' Group
Re: Access to the Internic Blocked
daemon@ATHENA.MIT.EDU (Daniel W. McRobb)
Sun Aug 25 21:39:32 1996
To: Vadim Antonov <avg@quake.net>
cc: curtis@ans.net, nanog@merit.edu
In-reply-to: Message from <avg@quake.net> of Fri Aug 23, 1996 12:52 EDT
<199608231952.MAA00230@quest.quake.net>
Date: Sun, 25 Aug 1996 21:31:12 EDT
From: "Daniel W. McRobb" <dwm@ans.net>
> Curtis Villamizar <curtis@ans.net> wrote:
>
> >We have traced back such "clever" denial of service attacks before.
> >Within the last 6 months even.
>
> >Have you forgotten that we log and keep track of source/destination
> >pairs.
>
> I sincerely wish you good luck doing that at OC-12. If you know
> a magic technology which can do that please let me know.
> Doing that at 10 kpps is not going to be a solution any time soon.
You're kidding, right? 10kpps has been doable (and done) for years.
Did you forget a zero or two?
The vBNS folks are about to release an OC-3 header sniffer that runs on
a Pentium box. Rumor has it that it'll handle OC-12 as well. There's a
presentation of it on the USENIX agenda.
> I would also wish you luck with logging SA/DA pairs at places like
> .ICP.NET. where source/destination matrix is about 1-2 millon
> entries long.
1-2 million is not much. Even in the NSFNET days, I worked w/
5-million-cell net matrices. All it takes is memory and some CPU.
> >It is really easy for us to spot in incoming path with a set
> >of sources that were never coming from that direction and start
> >working backwards.
>
> Yeah? Over six backbones?
To the edge of our backbone, absolutely. In someone else's backbone?
Of course not.
> >Other respectable providers cooperate. Nearnet
> >for example flew out a person and workstation to track an attack
> >coming through them.
>
> Cool. Now, if such a bogon generator becomes someting easily
> accessible to every newbie (as it is bound to become, sooner or
> later), that certainly will help.
>
> >We have Unix boxes deployed in every POP, even
> >with our new backbone. These watch over the FDDI rings.
>
> That certainly helps to people who already have to use FDDI switches.
We're not sniffing a shared FDDI ring w/ these UNIX boxes. They get
data from the routers. It doesn't matter what kind of media the packet
traversed to hit the router (switched FDDI included).
Daniel
~~~~~~
