nanog mailing list archives
Re: Identifying DoS sources quickly (was: Bogon list or Dshield.org type list)
From: "Nipper, Arnold" <arnold () nipper de>
Date: Tue, 30 Jul 2002 17:16:18 +0200
Hank Nussbacher wrote:
So, to restate the problem, how do we identify some of the sources of a DoS attack quickly, maybe even while the attack is still in progress?Not a complete solution but a start: IP Source Tracker:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120 limit/120s/120s21/ipst.htm
Available as of 12.0(22)S for 7500 and 12000 series Cisco routers.
Hank, one major flaw with this is that you can't track back further when you are on an (ethernet based) IXP. IIRC older versions of IOS gave L2 information (MAC address) as well which helped you to identify the last hop. -- Arnold -- Arnold Nipper / nIPper consulting e-mail: arnold () nipper de phone/mob: +49 172 265 0958 fax: +49 6224 9259 333
Current thread:
- Identifying DoS sources quickly (was: Bogon list or Dshield.org type list) michael . dillon (Jul 30)
- Re: Identifying DoS sources quickly (was: Bogon list or Dshield.org type list) Hank Nussbacher (Jul 30)
- Re: Identifying DoS sources quickly (was: Bogon list or Dshield.org type list) Nipper, Arnold (Jul 30)
- Re: Identifying DoS sources quickly (was: Bogon list or Dshield.org type list) Randy Bush (Jul 30)
- Re: Identifying DoS sources quickly (was: Bogon list or Dshield.org type list) Rafi Sadowsky (Jul 30)
- Re: Identifying DoS sources quickly (was: Bogon list or Dshield.org type list) Randy Bush (Jul 31)
- Re: Identifying DoS sources quickly (was: Bogon list or Dshield.org type list) Jesper Skriver (Jul 31)
- Re: Identifying DoS sources quickly (was: Bogon list or Dshield.org type list) Nipper, Arnold (Jul 30)
- Re: Identifying DoS sources quickly (was: Bogon list or Dshield.org type list) Hank Nussbacher (Jul 30)