[54196] in North American Network Operators' Group
RE: Identifying DoS-attacked IP address(es) Sniffer
daemon@ATHENA.MIT.EDU (Brennan_Murphy@NAI.com)
Mon Dec 16 19:25:47 2002
From: Brennan_Murphy@NAI.com
To: chapuis@ip-plus.net, nanog@nanog.org
Date: Mon, 16 Dec 2002 16:29:12 -0800
Errors-To: owner-nanog-outgoing@merit.edu
Even though you are asking this question with regard to what can
be done on the router itself, it's worth mentioning, if only for
the archives, a non-router approach to the problem...especially if
you are an enterprise network manager. It's even worth
mentioning despite the fact that I work for a company that provides
said approach.
Some of our enterprise customers place distributed Sniffers on their=20
internet links themselves. Upon receiving an alert, they connect to the
Sniffer
and click on Top Ten talkers by bytes (presented in pie/bar chart).
On the left side of the screen are the source/destination pairs
generating the most traffic. Typically, top talkers are the culprits =
but
sometimes weak DOS attacks can hide among legitimate traffic, which
is why it's occasionally useful to check the Protocol Distribution
window. More sophisticated attacks sometimes require that you take a =
capture
of traffic and analyse packet level data. If it's a simple DOS, jot =
down=20
the IP's involved and call your ISP or upstream provider with a filter
request.=20
Near future versions of Sniffer will have IDS capabilities built in.
I've also seen a proof of concept tool that automates the filtering =
process
based on DDOS data and network thresholds. Obviously, there's lots of
cases where this is a problematic approach but I was impressed with the
tool's current intelligence...especially traceback analysis and =
filtering
at ingress.=20
In any case, Sniffer isn't the only protocol analysis tool. Shop around =
if
a non-router approach interests you. =20
-----Original Message-----
From: Andre Chapuis [mailto:chapuis@ip-plus.net]
Sent: Monday, December 16, 2002 9:12 AM
To: nanog@nanog.org
Subject: Identifying DoS-attacked IP address(es)
Hi,
How do you identify a DoS-attacked IP address(es) on your ingress =
border
router, assuming the latter is a Cisco 12000 ? I used to use ip =
accounting
but they removed it from the S-code.
Thanks,
Andr=E9
---------------------
Andre Chapuis
IP+ Engineering
Swisscom Ltd
Genfergasse 14
3050 Bern
+41 31 893 89 61
chapuis@ip-plus.net
CCIE #6023
----------------------
