Ping flooding (fwd)

The NSS routers allow us to do statistical sampling continuously and
the occurance of a source address at an entry point where it does not
usually enter can be detected and has in the past been used to
followup these sort of attacks after the fact. Other routers are not
capable of doing this but if the offense is repeated, successive
monitoring can be set up until the source is isolated.

We have requested the same sort of statistical sampling from Cisco and
Bay (and BNR/NSC). It is a long ways back on the development schedule
for all but Bay. It requires a hook in the forwarding path and is a
bit memory intensive and requires some, but not a lot of CPU on the
processor given the task of summarization (usually the processor doing
routing, not neccesarily for Bay - not sure yet). The RS6000s are
typically running in the range of 50% to 90% CPU idle if you check one
second intervals or 75% to 90% if you check 10 second intervals unless
very major sustained route flap in occurring (or cron kicks something
off). Milage will vary with router design.

The main purpose of the statistical sampling is traffic engineering,
but it sometimes comes in handy for following up on attacks with
forged source addresses. Requests for this type of data for security
followups have been very infrequent.


Maybe I'm missing something, but flow switching stats from Ciscos
should do exactly this:

SrcIf SrcIPaddress DstIf DstIPaddress Pr DstP SrcP Pkts B/Pk Active
Se1/0 Se1/6 11 0035 0035 2 69 0.0
Et0/2 Se1/1 06 0050 0FA3 2 40 0.0
Se1/5 Se1/0 11 0035 0035 2 69 0.0
Se1/1 Et0/1 06 0413 0050 4 44 9.6
Se1/5 Se1/7 06 0407 0050 124 40 207.6
Se1/7 Se1/6 06 0050 0405 648 550 673.4
Se1/5 Se1/0 06 0430 0050 5 164 6.2

etc, etc. Dump, then grep.