Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: NAP/ISP Saturation WAS: Re: Exchanges that matter...

  • From: David Schwartz
  • Date: Fri Dec 20 18:16:06 1996

	Your counter suggestion does not address the issues my suggestion 
was intended to address. The primary issues I'm trying to address is:

	1) Tracking of packets with spoofed IP address should, ideally, 
be automated.

	2) Tracking of packets that are or may be part of DoS attacks 
should not be based upon origin IP because that can easily be forged.

	3) Tracking of malicious packets should easily cross 
administrative boundaries.

	If you think I'm suggesting that implementing a plan like I 
suggested is trivial or doesn't have serious privacy and/or security 
implications, rest assured, I know.

	If you build a new protocol with new loopholes, people will work 
around the loopholes and we'll be back where we started. I'd ideally 
prefer a very solid method of tracking where packets come from. Tracing 
the origin of packets you will receive anyway shouldn't have privacy 
implications -- you're not supposed to be forgin origin IPs anway.

	David Schwartz

On Fri, 20 Dec 1996, Alan Hannan wrote:

> 
>   why even do that?  i'm not sure i want you triggering security
>   mechanisms on my routers.  Especially with the overhead
>   implications, though that is the thread we're currently in [may it
>   die soon].
> 
>   building an acl that allows packets matching those you're
>   interested in, and applying it to 'debug ip packet ACL detail'
>   is fairly simple.
> 
>   just sit there doing 'clear ip cache A.B.C.D W.X.Y.Z'.  Find 
>   the next hop it's coming from, trace it along, mail your 
>   friendly peer or transit provider, or mail your friendly hacker's
>   admins.
> 
>   granted, this is limited to the domain of routers you control, 
>   but it's pretty effective for finding out where the syn attack is
>   coming from.
> 
>   this assumes the people who are dumb enough to keep syn-ing 
>   continue to be stupid enough to use originating source addresses 
>   like 234.231.0.33.
> 
>   -alan
- - - - - - - - - - - - - - - - -




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.