nanog mailing list archives

Previous By Date Next
Previous By Thread Next

!white.house, !panacea, new traceback paper from stefan savage

From: k claffy <kc () caida org>
Date: Mon, 14 Feb 2000 12:54:50 -0800




(not sure if this has been posted yet, sorry if so)
new relevant paper worth checking out by stefan savage et al 
(david, ann, tom, all UW)
disclaimer, these folks just at the "explore the problem" stage 
and not the "propose a complete implementation now" stage. 


but exploring the problem
is good


  From Stefan:
  On Thu, Feb 10, 2000 at 05:14:56PM -0800, Stefan Savage wrote:
  Hi KC,

        We've been doing some work on efficient network support 
        for tracing denial-of-service attacks and all of a sudden 
        the topic has some relevance (a strange experience as
        a researcher ;-).  Anyway, this seemed like a good time 
        to introduce our work and try to get some feedback on it.  
        We've put a copy of our paper at:
  
        http://www.cs.washington.edu/homes/savage/traceback.html
  
        If you have a moment, we'd definitely appreciate any comments
        you might have.  We're also especially interested in getting
        feedback from the ISP operations community and from equipment
        vendors, so please feel free to forward this to anyone you
        think might be interested.  Thanks!

  - Stefan
    <savage () cs washington edu>, 
    coauthor david wetherall <djw () cs washington edu>
        (and anna and tom)




speaking of non-panaceas,
brett mentioned caida passive monitoring for security.
lemme clarify, 
coralreef has some bits that can detect port-scanning and
then auto-trigger full framed collection on specific filter
        http://www.caida.org/Tools/CoralReef/

but it's quite different animal from traceback 
eg., what rstone's centertrack trying to do
        http://www.nanog.org/mtg-9910/robert.html
        (not sure where that stands wrt deployment)

or what ddrew's cisco-based DOStracker did for what's.now.cw.net

  brettw also said

  if we installed passive monitors on IX links between providers, we
  might be able to do some interesting security traces.

reckon you[pl.]'d have to install a lot of them
and some facility for correlating among them
(and at least coral doesn't have any of that yet,
nor any kind of auto-paging when something looks suspicious)

again, nothing money & hardware & code & a NOC contact list 
can't heavily dent in a year or 2 if folks wanted it badly enough.  
and with other positive benefits to boot.
(in case folks think the malice of undersocial teenagers 
is the biggest threat we face...)
Previous By Date Next
Previous By Thread Next

Current thread: