[c-nsp] DoS tracking on the 6500

Dale W. Carder dwcarder at doit.wisc.edu
Thu Mar 17 18:10:04 EST 2005


Hi John,

What are your netflow/mls settings, specifically are you recording src
and dest information, because perhaps dest-only didn't capture the
data you needed?  Are you sampling?  What is your table size set at?

Are you running hybrid CatOS+IOS?  If so, you probably want to
look at the netflow data that the supervisor knows about from CatOS.
Off the top of my head (we don't run hybrid anymore) I want to say
that the command to try is "sh mls ent long".  In native mode
it's something along the lines of "sh mls netflow ip nowrap".

Something like that should work fine as long as netflow was recording
the info to begin with.  We track the number of netflow entries via
snmp as a step in detecting DOS attacks.

Dale

On Mar 17, 2005, at 12:52 PM, Jon Lewis wrote:

> We got hit with a D?DoS attack last night of at least several hundred
> mbit/s.  Tracking down the src/dest of the attack was complicated by 
> the
> fact that we've begun to migrate our internet circuits from 7500s to
> 6500s.
>
> The 7500 with an OC3 transit was pretty much unusable during the 
> attack,
> so I didn't get to look at show ip cache flow on it.  The 6500s did 
> much
> better (basically no increase in CPU load even though transit FEs were
> filled beyond capacity).  But, looking at show ip cache flow or show 
> mls
> netflow ip, I'd say the data was highly sampled, perhaps only what 
> little
> bit was handled by the SUP2 while nearly all traffic is switched by the
> MSFC2.  Fortunately, I did see a couple of suspiciously large flows 
> even
> in the very sparse output and was able to have our upstreams null route
> the target.
>
> Is there a way to see the equivalent of show ip cache flow (executed on
> the input VIP) from a 7500 on a 6500?  Is looking at exported netflow 
> an
> (the only?) option?
>
> ----------------------------------------------------------------------
>  Jon Lewis                   |  I route
>  Senior Network Engineer     |  therefore you are
>  Atlantic Net                |
> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list