[50463] in North American Network Operators' Group
Re: Identifying DoS sources quickly (was: Bogon list or Dshield.org type list)
daemon@ATHENA.MIT.EDU (Nipper, Arnold)
Tue Jul 30 11:18:18 2002
From: "Nipper, Arnold" <arnold@nipper.de>
To: "Hank Nussbacher" <hank@att.net.il>, <michael.dillon@radianz.com>
Cc: <nanog@merit.edu>
Date: Tue, 30 Jul 2002 17:16:18 +0200
Errors-To: owner-nanog-outgoing@merit.edu
Hank Nussbacher wrote:
> > So, to restate the problem, how do we identify some of the sources of a
> > DoS attack quickly, maybe even while the attack is still in progress?
>
> Not a complete solution but a start:
> IP Source Tracker:
>
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120
limit/120s/120s21/ipst.htm
>
> Available as of 12.0(22)S for 7500 and 12000 series Cisco routers.
>
Hank,
one major flaw with this is that you can't track back further when you are
on an (ethernet based) IXP. IIRC older versions of IOS gave L2 information
(MAC address) as well which helped you to identify the last hop.
-- Arnold
--
Arnold Nipper / nIPper consulting
e-mail: arnold@nipper.de
phone/mob: +49 172 265 0958
fax: +49 6224 9259 333
