Josh Beck writes:
I think it's critical that routers be capable of logging the
hardware addresses of ICMP, along with source addresses, so that these
attacks can be traced across shared media at exchanges.
ICMP is only one of a dozen ways to attack people. There is no point
in specially targetting ICMP.
Unfortunately, it is, in practice, impossible to log ALL the traffic
across a very busy router at an exchange point.
In my opinion, the only long term solution here is software that is
"smart" about tracebacks -- that is, can be directed in real time to
log certain classes of traffic.
Perry
ICMP is only one of a dozen ways to attack people. There is no point
in specially targetting ICMP.
Of course... so you have the capability to turn on logging for certain
protocols or interfaces or whatever for a short time. If someone is seeing
random source addresses ICMP packets for instance, a 20 second sample of a
busy interface can provide enough information to trace this (with hardware
addresses). And this is something that can be done right away.
In my opinion, the only long term solution here is software that is
"smart" about tracebacks -- that is, can be directed in real time to
log certain classes of traffic.
It would be nice, but for now logging the hardware addresses along
with the ip addresses would be cool.
Josh Beck jbeck@connectnet.com