Re: [nsp] DoS tracking

From: Eric Weigel (ericw@bestnet.org)
Date: Thu Feb 10 2000 - 02:24:41 EST


To this excellent and informative discussion I would add two things,
both non-technical: know your enemy, and know your friends.

Knowing your enemy means understanding who would attack you, and why.

Knowing your friends means you or your staff knows who to contact at
your upstream, and how to escalate a problem report quickly if needed.

Knowing your enemy example: We host a web site the a certain
government doesn't like. They syn flooded us for a week, attempted to
root the web server the site was on, attempted to bring down our email
system, etc. Knowing who was doing the attack, and why they were doing
it, allowed us to anticipate their actions and contain the effects
easily.

Knowing your friends example: We were under a smurf attack one day,
and I called into our upstream provider to ask for a filter. They were
having some other technical problem, the tech who got my ticket thought
it was that problem and stuck it at the bottom of the pile. I didn't
know how to properly escalate the issue, so we were dead for about 6
hours until we were able to get the problem resolved.

On Wed, 09 Feb 2000, Charles Sprickman wrote:
> Hello,
>
> With all the attacks happening these days (yahoo, cnn, etrade, etc.), I'm
> wondering if anyone here could share their techniques for tracking down
> source addresses using netflow (or any other nifty methods you may have).
>
> While many attacks have varying source addresses, some don't and it seems
> possible to at least try to block some of the traffic. Basically what I'm
> looking to do is hopefully start a thread here where we can share info
> about how to identify and quell some of the more common attacks.
>
> Some ideas:
>
> -netflow for dummies
> -quick-n-dirty netflow collector setup
> -using tcpdump/snoop to identify huge flows
> -capabilities of various cisco platforms for flow collection and filtering
> (ie: when will the router just fall over and die)
> -talking to / educating your upstream
>
> Just thought it would be useful for some of us smaller ops on this list to
> start talking about this now rather than at the time someone is being hit
> and is in a panic... This seems like a more appropriate forum than NANOG,
> so I'm posting here, let me know if this is not a good assumption.
>
> Thanks,
>
> Charles
>
> --
> =-----------------= =
> | Charles Sprickman Internet Channel |
> | INCH System Administration Team (212)243-5200 |
> | spork@inch.com access@inch.com |
> = =----------------=

-- 

Just walk along and try NOT to think about your intestines being almost forty yards long.



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:10 EDT