From: "Charles E. Perkins" <charliep(_at_)iprg(_dot_)nokia(_dot_)com>
...
I really wish "we" actually knew how to filter.
But maybe filtering is putting the cart before the horse.
I agree.
...
From that analogy, I claim that the appropriate action is to
develop tracing systems that will help to identify a wrongdoer.
Here is a possible design.
- Create a router feature, able to be remotely activated, to keep
...
How is that different from RMON?
Or better, how does it not fit naturally into RMON?
...
The basic idea then would be to trace back bad packets that
conform to some typically innocent, but occasionally troublesome,
profiles. The profiles will become self-evident with experience,
and once people know they will be caught by this traceback
system they will think twice before spreading their crap around.
If I were building a DDoS engine today, I'd write a conventional
(Microsoft) DOS virus that does nothing except once every 3 minutes do
the equivalent of:
echo "GET /index.html HTTP/1.0"; echo) | telnet -r $1 80
(maybe instead with a random request instead of /index.html)
After a few 1,000,000 desktops have been infected by familiar virus
vectors, the victim might notice the traffic.
How would you filter for them? Even if you could give routers
enough processing power, what would you learn from the filtering
that you'd care to apply?
...
So the costs boil down to more memory, more software, some
pattern-matching hardware, and maintaining security relationships
with your routing partners.
that's easy to say, but it doesn't sound likely to happen in my world.
Vernon Schryver vjs(_at_)rhyolite(_dot_)com