nanog mailing list archives
Re: Ping flooding (fwd)
From: Curtis Villamizar <curtis () ans net>
Date: Tue, 09 Jul 1996 14:21:32 -0400
In message <Pine.BSI.3.93.960708190406.27458F-100000 () sidhe memra com>, Michael Dillon writes:
Is anyone working on tools to help NSP's quickly backtrack this kind of thing?
The NSS routers allow us to do statistical sampling continuously and the occurance of a source address at an entry point where it does not usually enter can be detected and has in the past been used to followup these sort of attacks after the fact. Other routers are not capable of doing this but if the offense is repeated, successive monitoring can be set up until the source is isolated. We have requested the same sort of statistical sampling from Cisco and Bay (and BNR/NSC). It is a long ways back on the development schedule for all but Bay. It requires a hook in the forwarding path and is a bit memory intensive and requires some, but not a lot of CPU on the processor given the task of summarization (usually the processor doing routing, not neccesarily for Bay - not sure yet). The RS6000s are typically running in the range of 50% to 90% CPU idle if you check one second intervals or 75% to 90% if you check 10 second intervals unless very major sustained route flap in occurring (or cron kicks something off). Milage will vary with router design. The main purpose of the statistical sampling is traffic engineering, but it sometimes comes in handy for following up on attacks with forged source addresses. Requests for this type of data for security followups have been very infrequent. Curtis - - - - - - - - - - - - - - - - -
Current thread:
- Re: Ping flooding (fwd), (continued)
- Re: Ping flooding (fwd) Michael Dillon (Jul 08)
- Re: Ping flooding (fwd) Paul A Vixie (Jul 08)
- Re: Ping flooding (fwd) Curtis Villamizar (Jul 09)
- Re: Ping flooding (fwd) Daniel W. McRobb (Jul 08)
- Re: Ping flooding (fwd) Michael Dillon (Jul 08)
- Re: Ping flooding (fwd) Daniel W. McRobb (Jul 08)
- Re: Ping flooding (fwd) Michael Dillon (Jul 08)
- Re: Ping flooding (fwd) Nevin Williams (Jul 08)
- Re: Ping flooding (fwd) Michael Dillon (Jul 09)
- Re: Ping flooding (fwd) Larry J. Plato (Jul 09)
- Re: Ping flooding (fwd) Michael Dillon (Jul 08)
- Re: Ping flooding (fwd) Curtis Villamizar (Jul 09)
- Re: Ping flooding (fwd) Per Gregers Bilse (Jul 09)
- Re: Ping flooding (fwd) Daniel W. McRobb (Jul 09)
- Re: Ping flooding (fwd) Per Gregers Bilse (Jul 09)
- Re: Ping flooding (fwd) Daniel W. McRobb (Jul 09)
- Re: Ping flooding (fwd) Per Gregers Bilse (Jul 09)
- Re: Ping flooding (fwd) Daniel W. McRobb (Jul 09)
- Re: Ping flooding (fwd) Per Gregers Bilse (Jul 10)
- Re: Ping flooding (fwd) John Hawkinson (Jul 10)
- Re: Ping flooding (fwd) Per Gregers Bilse (Jul 10)
- Re: Ping flooding (fwd) Daniel W. McRobb (Jul 09)