Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

!white.house, !panacea, new traceback paper from stefan savage

  • From: k claffy
  • Date: Mon Feb 14 16:00:16 2000




(not sure if this has been posted yet, sorry if so)
new relevant paper worth checking out by stefan savage et al 
(david, ann, tom, all UW)
disclaimer, these folks just at the "explore the problem" stage 
and not the "propose a complete implementation now" stage. 


but exploring the problem
is good


  From Stefan:
  On Thu, Feb 10, 2000 at 05:14:56PM -0800, Stefan Savage wrote:
  Hi KC,

  	We've been doing some work on efficient network support 
	for tracing denial-of-service attacks and all of a sudden 
	the topic has some relevance (a strange experience as
	a researcher ;-).  Anyway, this seemed like a good time 
	to introduce our work and try to get some feedback on it.  
	We've put a copy of our paper at:
  
  	http://www.cs.washington.edu/homes/savage/traceback.html
  
	If you have a moment, we'd definitely appreciate any comments
	you might have.  We're also especially interested in getting
	feedback from the ISP operations community and from equipment
	vendors, so please feel free to forward this to anyone you
	think might be interested.  Thanks!

  - Stefan
    <savage@cs.washington.edu>, 
    coauthor david wetherall <djw@cs.washington.edu>
	(and anna and tom)




speaking of non-panaceas,
brett mentioned caida passive monitoring for security.
lemme clarify, 
coralreef has some bits that can detect port-scanning and
then auto-trigger full framed collection on specific filter
	http://www.caida.org/Tools/CoralReef/

but it's quite different animal from traceback 
eg., what rstone's centertrack trying to do
	http://www.nanog.org/mtg-9910/robert.html
	(not sure where that stands wrt deployment)

or what ddrew's cisco-based DOStracker did for what's.now.cw.net

  brettw also said

  if we installed passive monitors on IX links between providers, we
  might be able to do some interesting security traces.

reckon you[pl.]'d have to install a lot of them
and some facility for correlating among them
(and at least coral doesn't have any of that yet,
nor any kind of auto-paging when something looks suspicious)

again, nothing money & hardware & code & a NOC contact list 
can't heavily dent in a year or 2 if folks wanted it badly enough.  
and with other positive benefits to boot.
(in case folks think the malice of undersocial teenagers 
is the biggest threat we face...)
  






Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.