Access to the Internic Blocked
Daniel W. McRobb
dwm at ans.net
Mon Aug 26 01:31:12 UTC 1996
> Curtis Villamizar <curtis at ans.net> wrote:
> >We have traced back such "clever" denial of service attacks before.
> >Within the last 6 months even.
> >Have you forgotten that we log and keep track of source/destination
> I sincerely wish you good luck doing that at OC-12. If you know
> a magic technology which can do that please let me know.
> Doing that at 10 kpps is not going to be a solution any time soon.
You're kidding, right? 10kpps has been doable (and done) for years.
Did you forget a zero or two?
The vBNS folks are about to release an OC-3 header sniffer that runs on
a Pentium box. Rumor has it that it'll handle OC-12 as well. There's a
presentation of it on the USENIX agenda.
> I would also wish you luck with logging SA/DA pairs at places like
> .ICP.NET. where source/destination matrix is about 1-2 millon
> entries long.
1-2 million is not much. Even in the NSFNET days, I worked w/
5-million-cell net matrices. All it takes is memory and some CPU.
> >It is really easy for us to spot in incoming path with a set
> >of sources that were never coming from that direction and start
> >working backwards.
> Yeah? Over six backbones?
To the edge of our backbone, absolutely. In someone else's backbone?
Of course not.
> >Other respectable providers cooperate. Nearnet
> >for example flew out a person and workstation to track an attack
> >coming through them.
> Cool. Now, if such a bogon generator becomes someting easily
> accessible to every newbie (as it is bound to become, sooner or
> later), that certainly will help.
> >We have Unix boxes deployed in every POP, even
> >with our new backbone. These watch over the FDDI rings.
> That certainly helps to people who already have to use FDDI switches.
We're not sniffing a shared FDDI ring w/ these UNIX boxes. They get
data from the routers. It doesn't matter what kind of media the packet
traversed to hit the router (switched FDDI included).
More information about the NANOG