Security Incidents mailing list archives
Re: DoS attack... what to do?
From: Jose Nazario <jose () monkey org>
Date: Tue, 4 Jan 2005 19:19:06 -0500 (EST)
On Tue, 4 Jan 2005, Bernie Cosell wrote:
How do you do this? If the packets coming in have forged source-IP addresses, how do you trace them backwards?
backtrace via the input and output intreface IDs from the devices the traffic traverses. if you have well formed characteristic (ie SYN packets destined to a particular dest and dport) you can trace it that way. follow it back as far as you can go and, if it crosses operational boundaries, get some cooperation (in the case of very large events). cisco does this, arbor does this, etc ... ________ jose nazario, ph.d. jose () monkey org http://monkey.org/~jose/ http://infosecdaily.net/
Current thread:
- DoS attack... what to do? Nigel Kukard (Jan 04)
- Re: DoS attack... what to do? falcon (Jan 04)
- Re: DoS attack... what to do? Faisal Khan (Jan 04)
- Re: DoS attack... what to do? Mark C (Jan 04)
- Re: DoS attack... what to do? Bernie Cosell (Jan 04)
- Re: DoS attack... what to do? Jose Nazario (Jan 05)
- Re: DoS attack... what to do? Bernie Cosell (Jan 04)
- <Possible follow-ups>
- RE: DoS attack... what to do? Shaffer, Bruce (Jan 04)
- Re: DoS attack... what to do? Steve Friedl (Jan 04)
- RE: DoS attack... what to do? Craig Skelton (Jan 05)
- Re: DoS attack... what to do? Alvin Oga (Jan 05)
- Re: DoS attack... what to do? Valdis . Kletnieks (Jan 07)
- Re: DoS attack... what to do? Paul Laudanski (Jan 05)
- Re: DoS attack... what to do? easternerd (Jan 13)
- Re: DoS attack... what to do? Steve Friedl (Jan 04)