This is more of a side note but you might want to take a look at this traceback technique for dDoS that UUNet have demonstrated and implemented.
http://www.secsup.org/Tracking/ http://www.nanog.org/mtg-0110/ppt/greene.pdf Thomas ----- Original Message ----- From: "Pascal Gloor" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Saturday, February 02, 2002 7:37 AM Subject: Re: [swinog] dDoS and spoofing... > I know how huge this can be, but I think its now time to go forward and to > find a global solution to STOP this definively or at leave know how to stop > when it occurs... > You need a driving license to dirve on the road, but we have no 'laws' on > the net... I know the internet is considered as free, open, etc... but I m > sure we all agree that we need to find a solution... a good starting point > would be the IXPs we have. Paolo, Andre, what are you peak bandwidth on > your IX switches? Is ther any technical way to collect datas? > > > > On Sat, 2 Feb 2002 12:28:39 +0100 > "Pascal Gloor" <[EMAIL PROTECTED]> wrote: > > > Hi all, > > > > Does any ISP represented here do something to avoid spoofing? and how many > > We are filtering all outgoing traffic against spoofing, only let our own > ip's out .. > > > do netflow? with netflow we would be able to 'some kind' trace back, at > > least the source network/AS of the spoofed DoS and could try to stop them. > > Could you have a look and see if you have some datas (since > Thursday-Friday > > night) to destination 193.110.95.1? I could at least try to stop a part of > > that DoS. > > Problem with netflow is, that in a case of a ddos you need enourmous > bandwith to the > collector, and probably thw traffic to the collector is worst than the ddos > ... > (only my expirience) you should be able to collect the traffic at each > location seperatly ... > but that's kint of invertment intensive ... > > > Why not creating a 'neural and trusted' 3rd party which would collect all > > netflows summaries and for sure keep them secret. On demand, that team > would > > seek for a specific destination IP and then would be able to trace back > > source networks of DoS and advise the concerned network without giving any > > information to the requester. > > That would be a great thing ... > > > DoS are growing day per day and we should do something...really... we cant > > continue to let the 'terrorists' play like that. > > Yes, I can observe that too ... > > Best Regards > > Matthias > > -- > _;\_ Matthias Cramer System & Network Manager > /_. \ Dolphins Network Systems AG Phone +41-1-847'45'45 > |/ -\ .) Libernstrasse 24 Fax +41-1-847'45'49 > -'^`- \; CH-8112 Otelfingen http://www.dolphins.ch/ > > > > ---------------------------------------------- > [EMAIL PROTECTED] Maillist-Archive: > http://www.mail-archive.com/swinog%40swinog.ch/ ---------------------------------------------- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
