[54188] in North American Network Operators' Group
RE: Identifying DoS-attacked IP address(es)
daemon@ATHENA.MIT.EDU (Christopher L. Morrow)
Mon Dec 16 16:19:45 2002
Date: Mon, 16 Dec 2002 21:17:07 +0000 (GMT)
From: "Christopher L. Morrow" <chris@UU.NET>
To: Livio Ricciulli <livio@reactivenetwork.com>
Cc: "'Neil J. McRae'" <neil@DOMINO.ORG>,
'Andre Chapuis' <chapuis@ip-plus.net>,
"'Christopher L. Morrow'" <chris@UU.NET>, <nanog@nanog.org>
In-Reply-To: <000001c2a547$fad1f500$6401010a@livio>
Errors-To: owner-nanog-outgoing@merit.edu
On Mon, 16 Dec 2002, Livio Ricciulli wrote:
> FYI, we developed a system that sniffs FE,GE,DS3,OC3-48 POS and creates
> a model using the cross-product of:
> 1) source/destination address distributions
> 2) packet rate
> 3) protocol
But I can't field deploy this 2 continents away at 4am with 10 mins
notice...
>
> This works very well to detect floods and does not require messing with
> routers..
>
> Livio.
>
> -----Original Message-----
> From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of
> Neil J. McRae
> Sent: Monday, December 16, 2002 9:38 AM
> To: Andre Chapuis
> Cc: Christopher L. Morrow; nanog@nanog.org
> Subject: Re: Identifying DoS-attacked IP address(es)
>
>
> Sampled netflow, or look at the traceback stuff in later
> IOS 12.0S versions. Avoid filter lists as the GSR engine cards
> have a statically limited number of entries.
>
> Regards,
> Neil.
>
