Re: [77attendees] Bar BoF: ip traceback
Chris Morrow <morrowc@google.com> Thu, 25 March 2010 18:35 UTC
Return-Path: <morrowc@google.com>
X-Original-To: 77attendees@core3.amsl.com
Delivered-To: 77attendees@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7729D3A6D95 for <77attendees@core3.amsl.com>; Thu, 25 Mar 2010 11:35:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -99.547
X-Spam-Level:
X-Spam-Status: No, score=-99.547 tagged_above=-999 required=5 tests=[AWL=-1.300, BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13, FM_FORGED_GMAIL=0.622, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mnr6joETftXo for <77attendees@core3.amsl.com>; Thu, 25 Mar 2010 11:35:24 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.35]) by core3.amsl.com (Postfix) with ESMTP id ACC6A3A6D6E for <77attendees@ietf.org>; Thu, 25 Mar 2010 11:33:03 -0700 (PDT)
Received: from wpaz9.hot.corp.google.com (wpaz9.hot.corp.google.com [172.24.198.73]) by smtp-out.google.com with ESMTP id o2PIXJKI018720 for <77attendees@ietf.org>; Thu, 25 Mar 2010 19:33:20 +0100
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1269542000; bh=vJPoPDjxdFaYg+skoa55CA3LuNk=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type:Content-Transfer-Encoding; b=jqo28GwYrlc8Fd5OUog+sLigzeXTNECNZ8KSOirnf9+goq7oPEl8Nby4tMhNIkRSb ebwBMJOcrIyUAjKSkIBxA==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:date:message-id:subject:from:to: cc:content-type:content-transfer-encoding:x-system-of-record; b=FEnNWfqYO2NxMnLH1vfRAX1PeTFhkQNCrP68k6/vPE70jnQUhKT0BpLH6kFIqW3EZ lkLtyTsWHS0Y9yxHfSuWw==
Received: from qw-out-1920.google.com (qwf5.prod.google.com [10.241.194.69]) by wpaz9.hot.corp.google.com with ESMTP id o2PIXIU1012447 for <77attendees@ietf.org>; Thu, 25 Mar 2010 11:33:18 -0700
Received: by qw-out-1920.google.com with SMTP id 5so820603qwf.18 for <77attendees@ietf.org>; Thu, 25 Mar 2010 11:33:18 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.229.221.78 with SMTP id ib14mr70367qcb.28.1269541998233; Thu, 25 Mar 2010 11:33:18 -0700 (PDT)
In-Reply-To: <BDC8FFC0-FD16-47FF-AEBE-68A97FB8694F@checkpoint.com>
References: <4BA8BCE3.5020309@is.naist.jp> <4BA95B6A.5040707@is.naist.jp> <4BAB0464.2010307@is.naist.jp> <4BAB7A4D.7070904@piuha.net> <8133D17D-D9B6-40A6-AE9B-80BF90A5223D@checkpoint.com> <4BAB936E.6010307@piuha.net> <C3960BE0-9093-4863-8AAE-62BEAB197E6D@checkpoint.com> <c7cec2131003251049q7c5da6d1i9d0bd94cf9a8ec9@mail.gmail.com> <BDC8FFC0-FD16-47FF-AEBE-68A97FB8694F@checkpoint.com>
Date: Thu, 25 Mar 2010 11:33:18 -0700
Message-ID: <c7cec2131003251133k39ca6b80r17524083ef10455@mail.gmail.com>
From: Chris Morrow <morrowc@google.com>
To: Yoav Nir <ynir@checkpoint.com>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
X-System-Of-Record: true
Cc: "77attendees@ietf.org" <77attendees@ietf.org>
Subject: Re: [77attendees] Bar BoF: ip traceback
X-BeenThere: 77attendees@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <77attendees.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/77attendees>, <mailto:77attendees-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/77attendees>
List-Post: <mailto:77attendees@ietf.org>
List-Help: <mailto:77attendees-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/77attendees>, <mailto:77attendees-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Mar 2010 18:35:26 -0000
On Thu, Mar 25, 2010 at 11:15 AM, Yoav Nir <ynir@checkpoint.com> wrote: > On Mar 25, 2010, at 10:49 AM, Chris Morrow wrote: > >> On Thu, Mar 25, 2010 at 10:40 AM, Yoav Nir <ynir@checkpoint.com> wrote: >>> >>> On Mar 25, 2010, at 9:46 AM, Jari Arkko wrote: >>>>> My own, personal conclusion was that this was interesting and has potential. There *is* work to be done (two different versions that they wrote did not interoperate properly) and since success requires wide adoption by ISPs, I believe that the IETF is probably the right place for this. But these are just my personal opinions, and I have no idea if we can get enough people to actually work on this. >>>>> >>>>> I suggest that the correct next step is for the authors to contact one or more ADs. Though this seems directly related to security, the fact that this would be a protocol that would run between AS edge routers, it could fall to other areas as well. So I think the next step should be scheduling a BoF for next IETF, and making sure that the right people are there. >>>>> >>>> >>>> The question in my mind is: is the world interested in this technology. Previous IETF efforts in traceback failed IMO due to lack of operator/vendor interest. We should not create new efforts unless that interest surges again. Is it surging, and if so, why? >>>> >>>> Jari >>> >>> We've heard that attack packets now take up a significant portion of the traffic on the >>> Internet. Specifically members of bot-nets create congestion for ISPs. There is a chance >> >> where is this statistic? as near as I know/recall it's no where near >> 'significant portion' in general. Certainly there are times when >> individual links see this as the case (mostly edge/customer links). > > I've heard it in some talks. There's also this, but it's not based on statistics: > http://sparrow.ece.cmu.edu/group/pub/studer_esorics09.pdf "Abstract. Current Denial-of-Service (DoS) attacks are directed towards a specific victim. The research community has devised several counter- measures that protect victim hosts against undesired traffic. We present Coremelt, a new attack mechanism, where attackers only send traffic between each other, and not towards a victim host. As a result, none of the attack traffic is unwanted. The Coremelt attack is powerful because among N attackers there are O(N 2 ) connections, which can cause significant congestion in the network core. We demonstrate the attack based on simulations within a real Internet topology using realistic attacker distributions and show that attackers can induce a significant amount of congestion." this describes a potential attack scenario which in almost all cases won't actually harm the network, most edge links are smaller than the core facing ones on a reasonably built isp network. Certainly a single endpoint can be overwhelmed, but I don't think this has been shown to be a problem in practice (this attack I mean). > Of course it makes sense that a DDoS attack against a particular network will cause > congestion at the ISP serving that network, so the ISP may be interested in cooperating > with other ISPs to detect the bots who may participate in such an attack. as a person who did this for quite some time, and does it today at a non-isp company... there are plenty of methods available to do this today, already integrated into the infrastructure that providers use. >> >>> that now they would be more interested in deploying traceback technology than in the past, >>> when Internet attacks were a problem only for the end users. >> >> probably not, no... the traceback options from the past nearly all had >> significant penalties on the routing equipment in the network, that >> was a showstopper then, and will be today. >> >>> We have at least anecdotal evidence of such interest, in that 15 Japanese ISPs have agreed to participate in this experiment on their production networks. This must count for something. >>> >>> >>> Anyway, a BoF with the relevant people present is, IMO, the best way to gauge the interest. >>> >>> So the next steps are to set up a BoF for IETF 78, and to set up a mailing list, where >>> hopefully we can hear from the operators. >> >> hopefully announce it early :) I'd love to attend. > > Me too. sweet!
- [77attendees] Bar BoF: ip traceback Hiroaki Hazeyama
- Re: [77attendees] Bar BoF: ip traceback Hiroaki Hazeyama
- Re: [77attendees] Bar BoF: ip traceback Hiroaki Hazeyama
- Re: [77attendees] Bar BoF: ip traceback Jari Arkko
- Re: [77attendees] Bar BoF: ip traceback Yoav Nir
- Re: [77attendees] Bar BoF: ip traceback Jari Arkko
- Re: [77attendees] Bar BoF: ip traceback Hiroaki Hazeyama
- Re: [77attendees] Bar BoF: ip traceback Yoav Nir
- Re: [77attendees] Bar BoF: ip traceback Chris Morrow
- Re: [77attendees] Bar BoF: ip traceback Yoav Nir
- Re: [77attendees] Bar BoF: ip traceback Chris Morrow
- Re: [77attendees] Bar BoF: ip traceback Ingemar Johansson S
- Re: [77attendees] Bar BoF: ip traceback Spencer Dawkins
- Re: [77attendees] Bar BoF: ip traceback Thomson, Martin
- Re: [77attendees] Bar BoF: ip traceback Spencer Dawkins
- [77attendees] Ad hoc meetings (Was: Re: Bar BoF: … Jari Arkko
- Re: [77attendees] Ad hoc meetings (Was: Re: Bar B… Spencer Dawkins
- Re: [77attendees] Ad hoc meetings (Was: Re: Bar B… Brian E Carpenter
- Re: [77attendees] Ad hoc meetings (Was: Re: Bar B… Marc Blanchet
- Re: [77attendees] Ad hoc meetings (Was: Re: Bar B… J.D. Falk
- Re: [77attendees] Ad hoc meetings (Was: Re: Bar B… Carl Williams
- Re: [77attendees] Ad hoc meetings (Was: Re: Bar B… Fred Baker
- Re: [77attendees] Ad hoc meetings (Was: Re: Bar B… Brian E Carpenter
- Re: [77attendees] Ad hoc meetings (Was: Re: Bar B… Fred Baker
- Re: [77attendees] Ad hoc meetings (Was: Re: Bar B… Lars Eggert
- Re: [77attendees] Ad hoc meetings (Was: Re: Bar B… Klaas Wierenga
- Re: [77attendees] Ad hoc meetings (Was: Re: Bar B… Scott Brim
- Re: [77attendees] Ad hoc meetings (Was: Re: Bar B… joel.jaeggli
- Re: [77attendees] Ad hoc meetings (Was: Re: Bar B… Jari Arkko
- Re: [77attendees] Ad hoc meetings (Was: Re: Bar B… Carsten Bormann
- Re: [77attendees] Ad hoc meetings (Was: Re: Bar B… Joel M. Halpern
- Re: [77attendees] Ad hoc meetings (Was: Re: Bar B… Melinda Shore
- Re: [77attendees] Ad hoc meetings (Was: Re: Bar B… Carsten Bormann
- Re: [77attendees] Ad hoc meetings (Was: Re: Bar B… Joerg Ott
- Re: [77attendees] Ad hoc meetings (Was: Re: Bar B… Lars Eggert
- Re: [77attendees] Ad hoc meetings (Was: Re: Bar B… Lars Eggert
- Re: [77attendees] Ad hoc meetings (Was: Re: Bar B… Ingemar Johansson S
- Re: [77attendees] Ad hoc meetings (Was: Re: Bar B… Thomas Hardjono
- Re: [77attendees] Ad hoc meetings (Was: Re: Bar B… Dan Wing
- Re: [77attendees] Ad hoc meetings (Was: Re: Bar B… Randy Bush
- Re: [77attendees] Ad hoc meetings (Was: Re: Bar B… Eliot Lear
- Re: [77attendees] Ad hoc meetings (Was: Re: Bar B… Randy Bush
- Re: [77attendees] Ad hoc meetings (Was: Re: Bar B… Jeffrey Hutzelman
- Re: [77attendees] Ad hoc meetings (Was: Re: Bar B… Randy Bush
- Re: [77attendees] Ad hoc meetings (Was: Re: Bar B… Michael StJohns
- Re: [77attendees] Ad hoc meetings (Was: Re: Bar B… Henning Schulzrinne
- Re: [77attendees] Ad hoc meetings (Was: Re: Bar B… Scott Brim
- Re: [77attendees] Ad hoc meetings (Was: Re: Bar B… Brian E Carpenter
- Re: [77attendees] terminal room Tony Hansen
- Re: [77attendees] terminal room Al Morton
- Re: [77attendees] Ad hoc meetings (FCFS break out… Tony Hansen
- Re: [77attendees] Ad hoc meetings (Was: Re: Bar B… Spencer Dawkins
- Re: [77attendees] terminal room Hui Deng
- Re: [77attendees] terminal room David Morris
- Re: [77attendees] terminal room Tom Yu
- Re: [77attendees] Ad hoc meetings (Was: Re: Bar B… joel.jaeggli
- Re: [77attendees] terminal room Ed Jankiewicz
- Re: [77attendees] terminal room Richard Barnes
- Re: [77attendees] terminal room Ted Lemon
- Re: [77attendees] Ad hoc meetings (Was: Re: Bar B… Scott Brim
- Re: [77attendees] Ad hoc meetings (Was: Re: Bar B… Marshall Eubanks
- Re: [77attendees] Ad hoc meetings (Was: Re: Bar B… Richard Barnes
- Re: [77attendees] Ad hoc meetings (Was: Re: Bar B… Stephan Wenger
- Re: [77attendees] Ad hoc meetings (Was: Re: Bar B… Melinda Shore
- Re: [77attendees] Ad hoc meetings (Was: Re: Bar B… joel.jaeggli
- Re: [77attendees] Ad hoc meetings (Was: Re: Bar B… Ole Jacobsen
- Re: [77attendees] Ad hoc meetings (Was: Re: Bar B… Randy Bush
- Re: [77attendees] terminal room David Borman
- Re: [77attendees] Ad hoc meetings (Was: Re: Bar B… Marshall Eubanks
- Re: [77attendees] Ad hoc meetings (Was: Re: Bar B… Melinda Shore
- Re: [77attendees] Ad hoc meetings (Was: Re: Bar B… Marshall Eubanks
- Re: [77attendees] Ad hoc meetings (Was: Re: Bar B… Marshall Eubanks
- Re: [77attendees] Ad hoc meetings (Was: Re: Bar B… Geoff Thompson
- Re: [77attendees] Ad hoc meetings (Was: Re: Bar B… Stephan Wenger
- Re: [77attendees] terminal room Joerg Ott
- Re: [77attendees] Ad hoc meetings (Was: Re: Bar B… Stephen Farrell
- Re: [77attendees] Ad hoc meetings (Was: Re: Bar B… Joerg Ott
- Re: [77attendees] Ad hoc meetings (Was: Re: Bar B… Ingemar Johansson S
- Re: [77attendees] terminal room Dearlove, Christopher (UK)
- Re: [77attendees] terminal room Thomas Heide Clausen
- Re: [77attendees] terminal room Ingemar Johansson S
- Re: [77attendees] terminal room Randy Bush
- [77attendees] Note well? [Ad hoc meetings (Was: R… Brian E Carpenter
- Re: [77attendees] terminal room Yao Jiankang
- Re: [77attendees] terminal room Dmitry Burkov
- Re: [77attendees] terminal room Samuel Weiler
- Re: [77attendees] terminal room joel.jaeggli
- Re: [77attendees] Ad hoc meetings (Was: Re: Bar B… Jari Arkko
- Re: [77attendees] Ad hoc meetings (Was: Re: Bar B… Jeffrey Hutzelman