nanog mailing list archives
RE: Interesting new spam technique - getting a lot more popular.
From: "Peter Phaal" <peter.phaal () inmon com>
Date: Thu, 15 Jun 2006 11:12:19 -0700
Has anyone considered using sFlow to detect this type of bad behavior? Many layer 2 switches vendors mentioned in the discussion support sFlow (see http://www.sflow.org/products/network.php for a list). sFlow operates at layer 2 (think of it as a kind of remote sampled mirror port capability that lets you capture the first 128 bytes of Ethernet frames from every l2/l3 switch port in the data center). Information that you could get from sFlow that is relevant to the discussion include: ingress switch port, source and destination mac addresses, vlans, ip addresses, ARP targets and senders, layer 4 protocol and ports. Peter
Current thread:
- Re: Interesting new spam technique - getting a lot more popular., (continued)
- Re: Interesting new spam technique - getting a lot more popular. Florian Weimer (Jun 14)
- RE: Interesting new spam technique - getting a lot more popular. John van Oppen (Jun 13)
- Re: Interesting new spam technique - getting a lot more popular. Payam Chychi (Jun 13)
- RE: Interesting new spam technique - getting a lot more popular. Edward B. DREGER (Jun 13)
- RE: Interesting new spam technique - getting a lot more popular. John van Oppen (Jun 14)
- Re: Interesting new spam technique - getting a lot more popular. Warren Kumari (Jun 14)
- Re: Interesting new spam technique - getting a lot more popular. Mark Smith (Jun 15)
- Re: Interesting new spam technique - getting a lot more popular. Warren Kumari (Jun 14)
- RE: Interesting new spam technique - getting a lot more popular. Church, Chuck (Jun 14)
- Re: Interesting new spam technique - getting a lot more popular. Patrick W. Gilmore (Jun 14)
- RE: Interesting new spam technique - getting a lot more popular. Christopher L. Morrow (Jun 14)
- RE: Interesting new spam technique - getting a lot more popular. Peter Phaal (Jun 15)