[80687] in North American Network Operators' Group
RE: DOS attack tracing
daemon@ATHENA.MIT.EDU (Scott Weeks)
Mon May 9 21:11:58 2005
Date: Mon, 9 May 2005 15:11:31 -1000 (HST)
From: Scott Weeks <surfer@mauigateway.com>
To: nanog@merit.edu
In-Reply-To: <EINSTEINyjgLjjq50K800000ea9@einstein.systemmetrics.com>
Errors-To: owner-nanog@merit.edu
On Mon, 9 May 2005, Richard wrote:
: > > We recently experienced several DOS attacks which drove our backbone
: > > routers CPU to 100%. The routers are not under attack, but the
: > > router just couldn't handle the traffic. There is a plan to upgrade
: type of routers. Our routers normally run at 35% CPU. What sucks is that the
: traffic volume doesn't have to be very high to bring down the router.
That's because it's the number of packets per time period that it can't
handle, not the traffic level. At this point it seems most likely that
it's a simple UDP flood. If your CPU usually runs at 35% you definitely
don't need a bigger router unless you're expecting a growth spurt. You
might want to put an RRDTool or MRTG graph on the CPU usage to be sure.
Depending on the size of your network you also might put a server at a
good place where you can mirror the traffic to it and use NTop on the
server. The software is free and will show a huge amount of detail if the
server has the brawn to handle the load. More detail means more server
brawn. You'll definitely see where the DOS is going.
scott
