[50462] in North American Network Operators' Group
Re: Identifying DoS sources quickly (was: Bogon list or Dshield.org
daemon@ATHENA.MIT.EDU (Hank Nussbacher)
Tue Jul 30 10:49:49 2002
Date: Tue, 30 Jul 2002 18:46:56 +0300 (IDT)
From: Hank Nussbacher <hank@att.net.il>
To: michael.dillon@radianz.com
Cc: nanog@merit.edu
In-Reply-To: <OF9CA78E33.DC0C8BC6-ON80256C06.00496B63-80256C06.004C8153@radianz.com>
Errors-To: owner-nanog-outgoing@merit.edu
On Tue, 30 Jul 2002 michael.dillon@radianz.com wrote:
> That's the obvious solution to the problem if the problem is how to track
> down the source(s) of a DoS attack. However, in any DoS attack, there is
> always a victim and one or more devices sendingattack traffic to the
> victim. The owners of the attacking devices are accessories to the crime
> although I'm sure they could plead ignorance and avoid any liability. But
> what if they could not plead ignorance? What if we could identify some of
> theattacking devices, and what if the victim sent a legal "cease and
> desist" letter to the owners of the attacking devices? Now, the victim is
> in a position to sue the owners of these attacking devices if they don't
> fix the problem by securing their machines. And once this happens and gets
> some press coverage, a whole bunch of other machine owners will wake up
> and realize that they could be stuck with big legal bills if they don't
> secure their machines.
>
> So, to restate the problem, how do we identify some of the sources of a
> DoS attack quickly, maybe even while the attack is still in progress?
Not a complete solution but a start:
IP Source Tracker:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s21/ipst.htm
Available as of 12.0(22)S for 7500 and 12000 series Cisco routers.
-Hank
