Identifying DoS-attacked IP address(es)

Livio Ricciulli livio at reactivenetwork.com
Mon Dec 16 23:30:45 UTC 2002


At 09:17 PM 12/16/2002 +0000, Christopher L. Morrow wrote:

>On Mon, 16 Dec 2002, Livio Ricciulli wrote:
>
> > FYI, we developed a system that sniffs FE,GE,DS3,OC3-48 POS and creates
> > a model using the cross-product of:
> > 1) source/destination address distributions
> > 2) packet rate
> > 3) protocol
>
>But I can't field deploy this 2 continents away at 4am with 10 mins
>notice...



Yes, there needs to be some up-front investment to proactively deploy these
boxes/taps in strategic places. I did some analysis and the numbers are 
doable even
for the largest networks.

But then we get into philosophy; I have a lot of screwdrivers at home 
laying around but
I would much rather invest in chisels rather than keep trying carving wood 
with flathead
screwdrivers (but that's just me..)

Livio.





More information about the NANOG mailing list