Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

DoS tracking service

  • From: Jeremy Porter
  • Date: Wed Apr 22 16:06:49 1998

Just forwarding this for a friend.

------- Forwarded Message

Date:    Wed, 22 Apr 1998 11:16:48 -0700
From:    "Steve Uurtamo" <uurtamo@AZStarNet.com>
To:      jerry@fc.net
Subject: Re: Filtering ICMP (Was Re: SMURF amplifier block list)

> Okay, so it's clear that we need to come up with some sort of sol'n
> to these kinds of problems.
> 
> Here's my two cents:
> 
> Don't block all of ICMP.  Block pings and traceroutes if you think that
> it's going to make your life better, but please don't break anything else.
> 
> We need a low-pain protocol to allow provider NOCs to check out a
> few salient things on their upstream provider's/peers routers --
> e.g. which interface a particular spoofed packet is coming from, the IP
> address of the remote-side interface, etc., etc., all the way back
> to the source.  This would allow provider NOCs to track this stuff
> down themselves.  No more 6 hour phone calls to people with various
> degrees of clue/time/energy for a problem that may only occur for
> 15 minutes at a time, every 4 hours.
> 
> It wouldn't be hard to jimmy this protocol (in case people care) such that
> you would ONLY be able to track back to a particular NOC's router if all
> of the inbetween-routers had "signed off" on the fact that what you're lookin
g
> for (specific dst/src or packet type) had actually SHOWN UP on them as well.
> It wouldn't have to continuously check this -- just check once and PK-encrypt
> the timestamp into the signature on the authentication packet.  Various
> timeouts could be configured by individual NOCs.  (Yes, each NOC could have
> its own PK value -- but there would only have to be one per AS).
> 
> Before everyone gets all hot and bothered about the suggestion that I'm
> making -- I'm not talking about arbitrary packet sniffing -- I'm talking
> about sniffing HEADERS on packets whose dst address (or packet type or 
> whatever everyone agrees is significant) is inside the domain of the dst 
> provider.  Not a big deal.  I really don't think that it's that
> much to give up -- hell, digex already allows me to dump their entire BGP
> table anytime I want -- i'm just talking about some very minimal tracking
> ability.
> 
> Some companies, such as sprint, who may have hundreds of customers plugged
> into a single router, may not want to do this.  But frankly, without this,
> we're all dependent upon the clue/time/energy of some guy who's busy doing
> his own thing, and we aren't guaranteed timely and accurate information.
> 
> Actually, now that I think of it, you could almost jimmy this out of a
> few hours of PGP-wrapped SNMP-calling perl scripts listening to some
> fixed socket at some fixed (and published) IP address of each network
> provider.  No reason to dick with the router code if no need to.
> 
> 
> What say ye?  
> 
> 
> 
> steve



------- End of Forwarded Message





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.