router syn/syn-ack/ack alarming...
George Herbert
gherbert at crl.com
Wed Sep 18 22:35:23 UTC 1996
>We can borrow experience from utilities which employ automatic
>shut-offs of every possible kind for years. Yes, they do create
>problems; but on overall balance it appears to be a very robust
>approach to preservation of the whole system's integrity.
>
>I really like the idea of the network being able to defend itself
>without dragging engineers out of beds in the middle of the night :)
>That will certainly remove a lot of incentive for hacker wannabes
>who appear to have only one goal in their lives -- to make life
>of operators miserable.
I think that perhaps a semi-automatic rather than fully automated
response might be the most useful. Have someone at some 800# manned
24x7 whose job it is to filter reports of major network-type attacks.
At their discretion, they could issue an advisory annoucing the
affected netblock and asking for everyone to start searching for
odd traffic to that netblock. In normal times, the various filter
and log options would be off, so that performance isn't hit.
In an emergency, everyone turns them on for ten minutes and
enough info should be generated to track it out to a particular
NSP and perhaps to an ISP. Automating the announcement and
filter turnon/turnoff would be nice, but may not be practical.
Fully automated would probably take hooks in router software
which don't exist now. Semi-auto, where each NSP NOC can
temporarily enable the search on a particular target address
range, seems more practical.
-george
More information about the NANOG
mailing list