[nsp] DoS tracking

From: Charles Sprickman (spork@inch.com)
Date: Wed Feb 09 2000 - 13:11:00 EST


Hello,

With all the attacks happening these days (yahoo, cnn, etrade, etc.), I'm
wondering if anyone here could share their techniques for tracking down
source addresses using netflow (or any other nifty methods you may have).

While many attacks have varying source addresses, some don't and it seems
possible to at least try to block some of the traffic. Basically what I'm
looking to do is hopefully start a thread here where we can share info
about how to identify and quell some of the more common attacks.

Some ideas:

-netflow for dummies
-quick-n-dirty netflow collector setup
-using tcpdump/snoop to identify huge flows
-capabilities of various cisco platforms for flow collection and filtering
 (ie: when will the router just fall over and die)
-talking to / educating your upstream

Just thought it would be useful for some of us smaller ops on this list to
start talking about this now rather than at the time someone is being hit
and is in a panic... This seems like a more appropriate forum than NANOG,
so I'm posting here, let me know if this is not a good assumption.

Thanks,

Charles

-- 
=-----------------=                                        = 
| Charles Sprickman                       Internet Channel |
| INCH System Administration Team         (212)243-5200    |
| spork@inch.com                          access@inch.com  |
=                                         =----------------=



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:09 EDT