[4455] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: New Denial of Service Attack on Panix

daemon@ATHENA.MIT.EDU (Craig A. Huegen)
Tue Sep 17 01:57:18 1996

Date: Mon, 16 Sep 1996 22:53:21 -0700 (PDT)
From: "Craig A. Huegen" <c-huegen@quad.quadrunner.com>
To: Paul A Vixie <paul@vix.com>
cc: Tim Bass <bass@cactus.silkroad.com>,
        "Kent W. England" <kwe@6SigmaNets.com>, nanog@merit.edu, iepg@iepg.org
In-Reply-To: <9609170411.AA12659@wisdom.home.vix.com>

On Mon, 16 Sep 1996, Paul A Vixie wrote:

==>looks like the cisco access-list debugger doesn't show enough detail.
==>as soon as the path to the attacker crosses a MAE, you need to know the
==>source MAC level address of the router that's splattering you.

Paul is correct; I left out the caveat that you have to go "hunting" once
you get to a multi-access media network.

However, a good tool at this point becomes the monitor option/port found
on certain switches which will redirect traffic bound for a certain port
to also appear on the monitor port for sniffing. I don't know if the
GIGAswitches have such a monitoring option or port; if so, cooperation
from the various IXP operators would be a great help in determining the

(I also think implementing a MAC-level packet debug would be very
beneficial to help find culprits in this case, not to mention help
troubleshoot other problems).


Craig A. Huegen  CCIE #2100                       ||        ||
Network Analyst, IS-Network/Telecom               ||        ||
cisco Systems, Inc., 250 West Tasman Drive       ||||      ||||
San Jose, CA  95134, (408) 526-8104          ..:||||||:..:||||||:..
email: chuegen@cisco.com                    c i s c o  S y s t e m s

home help back first fref pref prev next nref lref last post