[54178] in North American Network Operators' Group
RE: Identifying DoS-attacked IP addresses)
daemon@ATHENA.MIT.EDU (Pena, Antonio)
Mon Dec 16 10:06:36 2002
From: "Pena, Antonio" <antonio_pena@verestar.com>
To: nanog@nanog.org
Cc: "'Andre Chapuis'" <chapuis@ip-plus.net>
Date: Mon, 16 Dec 2002 10:03:06 -0500
Errors-To: owner-nanog-outgoing@merit.edu
Hello Andre
The best way we use to identify DOS attacks is measuring and monitoring =
the backbone circuits the packets/second in and out, normally most of =
the DOS attacks generated a lot of packets/second, in our case we =
created an alarm that sends an email and page each time any of our =
backbone circuits exceed 17000 Packets/second, second alarm when =
packets exceed 20k using Intermapper 3.6 and SNMP.
After this is you are using the Cisco 12000 is no problem to try of =
detect the type of traffic using Extended Access-list and sending to =
the loggin for 15-20 seconds and then look for ICMP, UDP and TCP, in =
our case we found 7 of ten DOS attacks target IP's and only 10% are =
coming from known sources, most of the attacks used smurfed sources.
Regards;
Antonio J. Pena
Senior Manager, Network Engineering
=20
( /_ _ _ __/_ _=20
|_/(-/ (-_) /(// =20
Verestar, inc.
3040 Williams, Dr Suite 100
Fairfax, VA, 22031
Phone (703)206-9000
Direct (571)226-5772
Fax (703) 573-3522
antonio_pena@verestar.com
http://www.verestar.com
-----Original Message-----
From: Andre Chapuis [mailto:chapuis@ip-plus.net]
Sent: Monday, December 16, 2002 9:12 AM
To: nanog@nanog.org
Subject: Identifying DoS-attacked IP address(es)
Hi,
How do you identify a DoS-attacked IP address(es) on your ingress =
border router, assuming the latter is a Cisco 12000 ? I used to use ip =
accounting but they removed it from the S-code.
Thanks,
Andr=E9
---------------------
Andre Chapuis
IP+ Engineering
Swisscom Ltd
Genfergasse 14
3050 Bern
+41 31 893 89 61
chapuis@ip-plus.net
CCIE #6023
----------------------
