Re: [nsp] DoS tracking

From: Scot bethke (kbethke@ezy.net)
Date: Wed Feb 09 2000 - 14:10:27 EST


Tracking is much needed! Didnt Sprint used to offer something to track this
stuff?

It took Yahoo 3 hours to detect and fix this, are there any tips on how to
figure this kind of attack out faster, or better yet how to prevent it from
happening at all?

-Scott

----- Original Message -----
From: "Charles Sprickman" <spork@inch.com>
To: <cisco-nsp@puck.nether.net>
Sent: Wednesday, February 09, 2000 1:11 PM
Subject: [nsp] DoS tracking

> Hello,
>
> With all the attacks happening these days (yahoo, cnn, etrade, etc.), I'm
> wondering if anyone here could share their techniques for tracking down
> source addresses using netflow (or any other nifty methods you may have).
>
> While many attacks have varying source addresses, some don't and it seems
> possible to at least try to block some of the traffic. Basically what I'm
> looking to do is hopefully start a thread here where we can share info
> about how to identify and quell some of the more common attacks.
>
> Some ideas:
>
> -netflow for dummies
> -quick-n-dirty netflow collector setup
> -using tcpdump/snoop to identify huge flows
> -capabilities of various cisco platforms for flow collection and filtering
> (ie: when will the router just fall over and die)
> -talking to / educating your upstream
>
> Just thought it would be useful for some of us smaller ops on this list to
> start talking about this now rather than at the time someone is being hit
> and is in a panic... This seems like a more appropriate forum than NANOG,
> so I'm posting here, let me know if this is not a good assumption.
>
> Thanks,
>
> Charles
>
> --
> =-----------------= =
> | Charles Sprickman Internet Channel |
> | INCH System Administration Team (212)243-5200 |
> | spork@inch.com access@inch.com |
> = =----------------=
>
>



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:09 EDT