[54218] in North American Network Operators' Group
RE: Identifying DoS-attacked IP address(es) Sniffer
daemon@ATHENA.MIT.EDU (alex@yuriev.com)
Tue Dec 17 10:06:34 2002
Date: Tue, 17 Dec 2002 10:20:07 -0500 (EST)
From: alex@yuriev.com
To: Garrett_Lange@NAI.com
Cc: Brennan_Murphy@NAI.com, chapuis@ip-plus.net, nanog@nanog.org
In-Reply-To: <6084E7846673D311AC87009027AA6AA7097C83D2@tx-exchange2.na.nai.com>
Errors-To: owner-nanog-outgoing@merit.edu
> The Sniffer and other tools like it are meant to drink from a fire hose.
> So, is it far fetched to analyze a dozen or more OC-12's other than from a
> router?? No. In fact carriers should embrace a different approach to
> further understand and analyze their backbone. Analyzers' with filters of
> attack/virus definitions can play a key role in fast, efficient response in
> the fight against distributed attacks.
Should the sales people trying to peddle their wares learn a bit about
underlying technologies and be forced to take Algebra 101 before be let lose
on NANOG?
So your SONET sniffer decodes STS->[other
stuff]->IP->[other-stuff]->app-layer and matches against definitions that
you have, and does it all in real-time, does not fall over due to load,
deals with fragmentation and assymetic routing and so on. Oh, and then of
course it does it all in a secure manner since the traffic should not be
exposed to 3rd parties.
Yeah, right.
Alex
