[4606] in North American Network Operators' Group
Hints for tracing SYN flooders (and others) through Ciscos
daemon@ATHENA.MIT.EDU (Jeff Rizzo)
Thu Sep 19 00:02:28 1996
To: nanog@merit.edu
Date: Wed, 18 Sep 1996 20:59:58 -0700
From: Jeff Rizzo <nc0005@noc.noc.netcom.net>
Apologies to those to whom what I present here is blindingly obvious; I'm
killing some time while waiting for a response from an ISP that we've traced
an attack on one of our customers to, and I thought I'd share a tip:
Since virtually everyone who has a Cisco has at least fast switching, if not
cbus switching, enabled, the "debug ip packet [access-list] detail" suggested
here the other day won't show much, as the processor (which is doing the
debugging) won't actually see the whole packet. You can sit there for quite
some time without results. :) Obviously it makes no sense from a performance
perspective (at least if you have even moderate traffic) to turn off fast
switching, you *can* clear the ip cache for the attacked network. This forces
the processor to look at a number of packets to rebuild a cache entry.
Now, if you're especially lucky, your debug may catch the packets you're
looking for right off, and tell you the ingress interface. More likely,
however, is you'll need to clear the cache entry a number of times to get a
hit.
You're still on your own when you get to a shared IXP fabric, and you'll need
a sniffer there, but it can help.
(Hey Cisco! Any chance of putting a source MAC address in the "detail"
information? :)
At least, if the attacker's sending rapidly enough to be noticeable.
Hope this helps someone.
+j
--
Jeff Rizzo nc0005@noc.netcom.net NETCOM
Sr. Network Administrator Guy +1 415 758 1457
