[4596] in North American Network Operators' Group
Re: router syn/syn-ack/ack alarming...
daemon@ATHENA.MIT.EDU (George Herbert)
Wed Sep 18 19:35:43 1996
To: Vadim Antonov <avg@quake.net>
Cc: almes@advanced.org, nanog@merit.edu, gherbert@crl.com
In-Reply-To: Your message of "Wed, 18 Sep 1996 13:53:54 PDT."
<199609182053.NAA00860@quest.quake.net>
Date: Wed, 18 Sep 1996 15:35:23 -0700
From: George Herbert <gherbert@crl.com>
>We can borrow experience from utilities which employ automatic
>shut-offs of every possible kind for years. Yes, they do create
>problems; but on overall balance it appears to be a very robust
>approach to preservation of the whole system's integrity.
>
>I really like the idea of the network being able to defend itself
>without dragging engineers out of beds in the middle of the night :)
>That will certainly remove a lot of incentive for hacker wannabes
>who appear to have only one goal in their lives -- to make life
>of operators miserable.
I think that perhaps a semi-automatic rather than fully automated
response might be the most useful. Have someone at some 800# manned
24x7 whose job it is to filter reports of major network-type attacks.
At their discretion, they could issue an advisory annoucing the
affected netblock and asking for everyone to start searching for
odd traffic to that netblock. In normal times, the various filter
and log options would be off, so that performance isn't hit.
In an emergency, everyone turns them on for ten minutes and
enough info should be generated to track it out to a particular
NSP and perhaps to an ISP. Automating the announcement and
filter turnon/turnoff would be nice, but may not be practical.
Fully automated would probably take hooks in router software
which don't exist now. Semi-auto, where each NSP NOC can
temporarily enable the search on a particular target address
range, seems more practical.
-george
