Re: [nsp] DoS tracking

From: Ed Swenson (swenson@cisco.com)
Date: Wed Feb 09 2000 - 14:04:09 EST


I will suggest

http://www.cisco.com/warp/public/707/advisory.html

especially "Characterizing and Tracing Packet Floods Using Cisco Routers"
at http://www.cisco.com/warp/public/707/22.html

as a start.

ed

>
> Hello,
>
> With all the attacks happening these days (yahoo, cnn, etrade, etc.), I'm
> wondering if anyone here could share their techniques for tracking down
> source addresses using netflow (or any other nifty methods you may have).
>
> While many attacks have varying source addresses, some don't and it seems
> possible to at least try to block some of the traffic. Basically what I'm
> looking to do is hopefully start a thread here where we can share info
> about how to identify and quell some of the more common attacks.
>
> Some ideas:
>
> -netflow for dummies
> -quick-n-dirty netflow collector setup
> -using tcpdump/snoop to identify huge flows
> -capabilities of various cisco platforms for flow collection and filtering
> (ie: when will the router just fall over and die)
> -talking to / educating your upstream
>
> Just thought it would be useful for some of us smaller ops on this list to
> start talking about this now rather than at the time someone is being hit
> and is in a panic... This seems like a more appropriate forum than NANOG,
> so I'm posting here, let me know if this is not a good assumption.
>
> Thanks,
>
> Charles
>
> --
> =-----------------= =
> | Charles Sprickman Internet Channel |
> | INCH System Administration Team (212)243-5200 |
> | spork@inch.com access@inch.com |
> = =----------------=
>
>
>



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:09 EDT