[54194] in North American Network Operators' Group
RE: Identifying DoS-attacked IP address(es)
daemon@ATHENA.MIT.EDU (Livio Ricciulli)
Mon Dec 16 18:32:00 2002
Date: Mon, 16 Dec 2002 15:30:45 -0800
To: "Christopher L. Morrow" <chris@UU.NET>
From: Livio Ricciulli <livio@reactivenetwork.com>
Cc: "'Neil J. McRae'" <neil@DOMINO.ORG>,
"'Andre Chapuis'" <chapuis@ip-plus.net>,
"'Christopher L. Morrow'" <chris@UU.NET>, <nanog@nanog.org>
In-Reply-To: <Pine.GSO.4.33.0212162116320.22551-100000@rampart.argfrp.us
.uu.net>
Errors-To: owner-nanog-outgoing@merit.edu
At 09:17 PM 12/16/2002 +0000, Christopher L. Morrow wrote:
>On Mon, 16 Dec 2002, Livio Ricciulli wrote:
>
> > FYI, we developed a system that sniffs FE,GE,DS3,OC3-48 POS and creates
> > a model using the cross-product of:
> > 1) source/destination address distributions
> > 2) packet rate
> > 3) protocol
>
>But I can't field deploy this 2 continents away at 4am with 10 mins
>notice...
Yes, there needs to be some up-front investment to proactively deploy these
boxes/taps in strategic places. I did some analysis and the numbers are
doable even
for the largest networks.
But then we get into philosophy; I have a lot of screwdrivers at home
laying around but
I would much rather invest in chisels rather than keep trying carving wood
with flathead
screwdrivers (but that's just me..)
Livio.
