North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: router syn/syn-ack/ack alarming...
>We can borrow experience from utilities which employ automatic >shut-offs of every possible kind for years. Yes, they do create >problems; but on overall balance it appears to be a very robust >approach to preservation of the whole system's integrity. > >I really like the idea of the network being able to defend itself >without dragging engineers out of beds in the middle of the night :) >That will certainly remove a lot of incentive for hacker wannabes >who appear to have only one goal in their lives -- to make life >of operators miserable. I think that perhaps a semi-automatic rather than fully automated response might be the most useful. Have someone at some 800# manned 24x7 whose job it is to filter reports of major network-type attacks. At their discretion, they could issue an advisory annoucing the affected netblock and asking for everyone to start searching for odd traffic to that netblock. In normal times, the various filter and log options would be off, so that performance isn't hit. In an emergency, everyone turns them on for ten minutes and enough info should be generated to track it out to a particular NSP and perhaps to an ISP. Automating the announcement and filter turnon/turnoff would be nice, but may not be practical. Fully automated would probably take hooks in router software which don't exist now. Semi-auto, where each NSP NOC can temporarily enable the search on a particular target address range, seems more practical. -george - - - - - - - - - - - - - - - - -