>We have traced back such "clever" denial of service attacks before.
>Within the last 6 months even.>Have you forgotten that we log and keep track of source/destination
>pairs.I sincerely wish you good luck doing that at OC-12. If you know
a magic technology which can do that please let me know.
Doing that at 10 kpps is not going to be a solution any time soon.
You're kidding, right? 10kpps has been doable (and done) for years.
Did you forget a zero or two?
The vBNS folks are about to release an OC-3 header sniffer that runs on
a Pentium box. Rumor has it that it'll handle OC-12 as well. There's a
presentation of it on the USENIX agenda.
I would also wish you luck with logging SA/DA pairs at places like
.ICP.NET. where source/destination matrix is about 1-2 millon
entries long.
1-2 million is not much. Even in the NSFNET days, I worked w/
5-million-cell net matrices. All it takes is memory and some CPU.
>It is really easy for us to spot in incoming path with a set
>of sources that were never coming from that direction and start
>working backwards.Yeah? Over six backbones?
To the edge of our backbone, absolutely. In someone else's backbone?
Of course not.
>Other respectable providers cooperate. Nearnet
>for example flew out a person and workstation to track an attack
>coming through them.Cool. Now, if such a bogon generator becomes someting easily
accessible to every newbie (as it is bound to become, sooner or
later), that certainly will help.>We have Unix boxes deployed in every POP, even
>with our new backbone. These watch over the FDDI rings.That certainly helps to people who already have to use FDDI switches.
We're not sniffing a shared FDDI ring w/ these UNIX boxes. They get
data from the routers. It doesn't matter what kind of media the packet
traversed to hit the router (switched FDDI included).
Daniel