[54186] in North American Network Operators' Group
RE: Identifying DoS-attacked IP address(es)
daemon@ATHENA.MIT.EDU (Livio Ricciulli)
Mon Dec 16 15:08:37 2002
From: "Livio Ricciulli" <livio@reactivenetwork.com>
To: "'Neil J. McRae'" <neil@DOMINO.ORG>,
"'Andre Chapuis'" <chapuis@ip-plus.net>
Cc: "'Christopher L. Morrow'" <chris@UU.NET>, <nanog@nanog.org>
Date: Mon, 16 Dec 2002 13:13:28 -0800
In-Reply-To: <20021216173814.9AA94398C2@equinox.DOMINO.ORG>
Errors-To: owner-nanog-outgoing@merit.edu
FYI, we developed a system that sniffs FE,GE,DS3,OC3-48 POS and creates
a model using the cross-product of:
1) source/destination address distributions
2) packet rate
3) protocol
This works very well to detect floods and does not require messing with
routers..
Livio.
-----Original Message-----
From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of
Neil J. McRae
Sent: Monday, December 16, 2002 9:38 AM
To: Andre Chapuis
Cc: Christopher L. Morrow; nanog@nanog.org
Subject: Re: Identifying DoS-attacked IP address(es)
Sampled netflow, or look at the traceback stuff in later
IOS 12.0S versions. Avoid filter lists as the GSR engine cards
have a statically limited number of entries.
Regards,
Neil.
