nanog mailing list archives

Re: Identifying DoS sources quickly (was: Bogon list or Dshield.org type list)

From: "Nipper, Arnold" <arnold () nipper de>
Date: Tue, 30 Jul 2002 17:16:18 +0200


Hank Nussbacher wrote:

So, to restate the problem, how do we identify some of the sources of a
DoS attack quickly, maybe even while the attack is still in progress?


Not a complete solution but a start:
IP Source Tracker:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120
limit/120s/120s21/ipst.htm


Available as of 12.0(22)S for 7500 and 12000 series Cisco routers.


Hank,

one major flaw with this is that you can't track back further when you are
on an (ethernet based) IXP. IIRC older versions of IOS gave L2 information
(MAC address) as well which helped you to identify the last hop.


-- Arnold
--
Arnold Nipper / nIPper consulting
e-mail: arnold () nipper de
phone/mob: +49 172 265 0958
fax: +49 6224 9259 333

Current thread:

Identifying DoS sources quickly (was: Bogon list or Dshield.org type list) michael . dillon (Jul 30)
- Re: Identifying DoS sources quickly (was: Bogon list or Dshield.org type list) Hank Nussbacher (Jul 30)
  - Re: Identifying DoS sources quickly (was: Bogon list or Dshield.org type list) Nipper, Arnold (Jul 30)
    - Re: Identifying DoS sources quickly (was: Bogon list or Dshield.org type list) Randy Bush (Jul 30)
    - Re: Identifying DoS sources quickly (was: Bogon list or Dshield.org type list) Rafi Sadowsky (Jul 30)
    - Re: Identifying DoS sources quickly (was: Bogon list or Dshield.org type list) Randy Bush (Jul 31)
    - Re: Identifying DoS sources quickly (was: Bogon list or Dshield.org type list) Jesper Skriver (Jul 31)
- Re: Identifying DoS sources quickly (was: Bogon list or Dshield.org type list) Ralph Doncaster (Jul 30)
- Re: Identifying DoS sources quickly (was: Bogon list or Dshield.org type list) Dan Hollis (Jul 30)