NAP/ISP Saturation WAS: Re: Exchanges that matter...
David Schwartz
davids at wiznet.net
Fri Dec 20 23:11:58 UTC 1996
Your counter suggestion does not address the issues my suggestion
was intended to address. The primary issues I'm trying to address is:
1) Tracking of packets with spoofed IP address should, ideally,
be automated.
2) Tracking of packets that are or may be part of DoS attacks
should not be based upon origin IP because that can easily be forged.
3) Tracking of malicious packets should easily cross
administrative boundaries.
If you think I'm suggesting that implementing a plan like I
suggested is trivial or doesn't have serious privacy and/or security
implications, rest assured, I know.
If you build a new protocol with new loopholes, people will work
around the loopholes and we'll be back where we started. I'd ideally
prefer a very solid method of tracking where packets come from. Tracing
the origin of packets you will receive anyway shouldn't have privacy
implications -- you're not supposed to be forgin origin IPs anway.
David Schwartz
On Fri, 20 Dec 1996, Alan Hannan wrote:
>
> why even do that? i'm not sure i want you triggering security
> mechanisms on my routers. Especially with the overhead
> implications, though that is the thread we're currently in [may it
> die soon].
>
> building an acl that allows packets matching those you're
> interested in, and applying it to 'debug ip packet ACL detail'
> is fairly simple.
>
> just sit there doing 'clear ip cache A.B.C.D W.X.Y.Z'. Find
> the next hop it's coming from, trace it along, mail your
> friendly peer or transit provider, or mail your friendly hacker's
> admins.
>
> granted, this is limited to the domain of routers you control,
> but it's pretty effective for finding out where the syn attack is
> coming from.
>
> this assumes the people who are dumb enough to keep syn-ing
> continue to be stupid enough to use originating source addresses
> like 234.231.0.33.
>
> -alan
More information about the NANOG
mailing list