Home page logo
/

nanog logo nanog mailing list archives

Re: M$SQL cleanup incentives
From: John Kristoff <jtk () depaul edu>
Date: Fri, 21 Feb 2003 16:52:18 -0600


On Fri, 21 Feb 2003 17:25:46 -0500
William Allen Simpson <wsimpson () greendragon com> wrote:

I've been pretty disappointed with some of the responses on this
issue. 

Maybe you won't like this one either, but here goes.

I'd be very interested in hearing how opeators feel about 'pushback'. 
It may make more sense near ingress edges or where there is limited
aggregate capacity on the egress (a bottleneck), but debating that point
is probably secondary.

You can refer to some of the material, particularly by Bellovin, Floyd
and others here:

  <http://www.icir.org/pushback/>

In the simplest scenario, pushback could be similarly deployed to the
way RED is deployed (if you consider that easy or useful or not, I'm not
sure).  Signals do not even necessarily need to propagate to upstream
routers, rather anomalous traffic (based on a simple, hopefully, policy)
could be dropped more aggressively.  This response could be automatic or
require intervention.  I think there are a number interesting properties
to this approach, especially since if it behaves similar as one might
hope, it could still allow some valid traffic through.  Hint: think
about what will happen if a Slammer/Sapphire-like worm hits port
25/53/80 and cannot be easily filtered without affecting all traffic on
those ports.

Coming up with a policy that determines what is anomalous is one of the
hard parts.  Vendor implementation being another, but you can kind of do
this sort of thing already if you're so inclined.
  
Thoughts?

John


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]