> Date: Wed, 9 Feb 2000 13:53:13 -0600
> From: Edward Henigin <ed@staff.texas.net>
> To: cisco-nsp@puck.nether.net
> Subject: Re: [nsp] DoS tracking
>
> Right now I'm more concerned with some low-volume DOS
> attacks which are capable of killing a 7513/RSP4. I don't know
> what the hell can do that, but I've seen a couple of instances in
> the past where one of my router cpu load shoots up, HDLC connections
> drop (T1 and T3), and BGP sessions go down. Since the behaviour
> is so anamolous, my best guess is that it's some sort of DOS attack.
>
> But it's a low-volume DOS attack. There is no traffic
> spike according to my MRTG. I see nothing to make me believe that
> the issue is any kind of flood directed at the router or any hosts
> behind the router. So it must be some sort of specific vulnerability
> in IOS, or maybe in router in general, that I'm not thinking of or
> am not aware of.
>
> Anyone have any pointers, experience, suggestions for
> getting educated about this?
Don't trust mrtg in a situation like this, if the CPU is bogged then
it may not respond to the SNMP requests, and MRTG will just show you
the same old data, plus the response time usually relegates you to
after the fact... If possible check the other end of your link.
Does the router recover if you wait or isolate it from the network?
George
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:10 EDT