nanog mailing list archives
Re: NAP/ISP Saturation WAS: Re: Exchanges that matter...
From: David Schwartz <davids () wiznet net>
Date: Fri, 20 Dec 1996 18:11:58 -0500 (EST)
Your counter suggestion does not address the issues my suggestion was intended to address. The primary issues I'm trying to address is: 1) Tracking of packets with spoofed IP address should, ideally, be automated. 2) Tracking of packets that are or may be part of DoS attacks should not be based upon origin IP because that can easily be forged. 3) Tracking of malicious packets should easily cross administrative boundaries. If you think I'm suggesting that implementing a plan like I suggested is trivial or doesn't have serious privacy and/or security implications, rest assured, I know. If you build a new protocol with new loopholes, people will work around the loopholes and we'll be back where we started. I'd ideally prefer a very solid method of tracking where packets come from. Tracing the origin of packets you will receive anyway shouldn't have privacy implications -- you're not supposed to be forgin origin IPs anway. David Schwartz On Fri, 20 Dec 1996, Alan Hannan wrote:
why even do that? i'm not sure i want you triggering security mechanisms on my routers. Especially with the overhead implications, though that is the thread we're currently in [may it die soon]. building an acl that allows packets matching those you're interested in, and applying it to 'debug ip packet ACL detail' is fairly simple. just sit there doing 'clear ip cache A.B.C.D W.X.Y.Z'. Find the next hop it's coming from, trace it along, mail your friendly peer or transit provider, or mail your friendly hacker's admins. granted, this is limited to the domain of routers you control, but it's pretty effective for finding out where the syn attack is coming from. this assumes the people who are dumb enough to keep syn-ing continue to be stupid enough to use originating source addresses like 234.231.0.33. -alan
- - - - - - - - - - - - - - - - -
Current thread:
- Re: NAP/ISP Saturation WAS: Re: Exchanges that matter..., (continued)
- Re: NAP/ISP Saturation WAS: Re: Exchanges that matter... Tony Li (Dec 20)
- Re: NAP/ISP Saturation WAS: Re: Exchanges that matter... Alex.Bligh (Dec 20)
- Re: NAP/ISP Saturation WAS: Re: Exchanges that matter... Avi Freedman (Dec 20)
- Re: NAP/ISP Saturation WAS: Re: Exchanges that matter... Alex.Bligh (Dec 20)
- Re: NAP/ISP Saturation WAS: Re: Exchanges that matter... Ophir Ronen (Dec 20)
- Re: NAP/ISP Saturation WAS: Re: Exchanges that matter... Tony Li (Dec 20)
- Re: NAP/ISP Saturation WAS: Re: Exchanges that matter... Michael Dillon (Dec 20)
- Re: NAP/ISP Saturation WAS: Re: Exchanges that matter... Tony Li (Dec 20)
- Re: NAP/ISP Saturation WAS: Re: Exchanges that matter... David Schwartz (Dec 20)
- Re: NAP/ISP Saturation WAS: Re: Exchanges that matter... Alan Hannan (Dec 20)
- Re: NAP/ISP Saturation WAS: Re: Exchanges that matter... David Schwartz (Dec 20)
- Re: NAP/ISP Saturation WAS: Re: Exchanges that matter... Brett L. Hawn (Dec 20)
- Re: NAP/ISP Saturation WAS: Re: Exchanges that matter... Alan Hannan (Dec 20)
- Re: NAP/ISP Saturation WAS: Re: Exchanges that matter... Brett L. Hawn (Dec 20)
- Re: NAP/ISP Saturation WAS: Re: Exchanges that matter... Jon Zeeff (Dec 21)
- Re: NAP/ISP Saturation WAS: Re: Exchanges that matter... Michael Dillon (Dec 20)
- Re: NAP/ISP Saturation WAS: Re: Exchanges that matter... Curtis Villamizar (Dec 20)
- DoS Attacks Robert Laughlin (Dec 20)
- Re: NAP/ISP Saturation WAS: Re: Exchanges that matter... Curtis Villamizar (Dec 20)
- Re: NAP/ISP Saturation WAS: Re: Exchanges that matter... dave o'leary (Dec 22)