Re: [nsp] DoS tracking

From: Deepak Jain (deepak@ai.net)
Date: Wed Feb 09 2000 - 18:08:33 EST


Send your flow traffic logs to several sets of machines. Even if the
routers get smashed under the load, you will usually be able to pick up
the last 30 seconds or so of traffic. It helps identify type of attack and
ingress interface.

YMMV,

Deepak Jain
AiNET

On Wed, 9 Feb 2000, Scot bethke wrote:

> Tracking is much needed! Didnt Sprint used to offer something to track this
> stuff?
>
> It took Yahoo 3 hours to detect and fix this, are there any tips on how to
> figure this kind of attack out faster, or better yet how to prevent it from
> happening at all?
>
> -Scott
>
> ----- Original Message -----
> From: "Charles Sprickman" <spork@inch.com>
> To: <cisco-nsp@puck.nether.net>
> Sent: Wednesday, February 09, 2000 1:11 PM
> Subject: [nsp] DoS tracking
>
>
> > Hello,
> >
> > With all the attacks happening these days (yahoo, cnn, etrade, etc.), I'm
> > wondering if anyone here could share their techniques for tracking down
> > source addresses using netflow (or any other nifty methods you may have).
> >
> > While many attacks have varying source addresses, some don't and it seems
> > possible to at least try to block some of the traffic. Basically what I'm
> > looking to do is hopefully start a thread here where we can share info
> > about how to identify and quell some of the more common attacks.
> >
> > Some ideas:
> >
> > -netflow for dummies
> > -quick-n-dirty netflow collector setup
> > -using tcpdump/snoop to identify huge flows
> > -capabilities of various cisco platforms for flow collection and filtering
> > (ie: when will the router just fall over and die)
> > -talking to / educating your upstream
> >
> > Just thought it would be useful for some of us smaller ops on this list to
> > start talking about this now rather than at the time someone is being hit
> > and is in a panic... This seems like a more appropriate forum than NANOG,
> > so I'm posting here, let me know if this is not a good assumption.
> >
> > Thanks,
> >
> > Charles
> >
> > --
> > =-----------------= =
> > | Charles Sprickman Internet Channel |
> > | INCH System Administration Team (212)243-5200 |
> > | spork@inch.com access@inch.com |
> > = =----------------=
> >
> >
>
>



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:10 EDT