[c-nsp] ISP Attack Discovery
Nick Voth
nvoth at estreet.com
Wed Apr 7 12:58:20 EDT 2010
One of the most useful tools we use all the time is a packet sniffer.
Wireshark is great:
http://www.wireshark.org/
You would have to have a PC plugged in to a mirror port on your main switch
in order to see all the packets.
With the packet trace, you can get a good idea of who is sending the most
traffic and where it's going. After you have that info, you have to have a
firewall or switch/router ACL that can block the traffic. If it's a single
source IP, (or a handful), that will work well. If the attack is distributed
from hundreds or thousands of IP addresses, you really have to have a more
intelligent device/firewall that can do session limiting, etc. That gets
pretty complicated.
Hope that helps.
-Nick Voth
> Message: 1
> Date: Wed, 7 Apr 2010 15:49:21 +0000
> From: sherif mostafa <sherifmka2004 at hotmail.com>
> To: <cisco-nsp at puck.nether.net>
> Subject: [c-nsp] ISP Attack Discovery
> Message-ID: <BAY121-W2550986051311F7C40217DAD170 at phx.gbl>
> Content-Type: text/plain; charset="iso-8859-1"
>
>
>
>
> I'm working @ ISP and with our monitoring tools I sometimes find a large no.
> of packet/secs which is most probably because of attack, scenario is that I've
> large subnet for my ISP segmented into smaller subnets that are advertised to
> three international providers, Question is:
>
>
>
>
> How could I isolate the subnet which has the attack source IP ?
> How could I know the source IP of the attacker directly ?
> How to detect the attacker if the attack is from outside my ISP to an internal
> IP ?
> How could I investigate this issue ?
>
>
>
>
>
>
> If anyone has experience in how to prevent or detect attacks and drop that
> traffic please share knowledge with me..
>
>
>
> Thx.
More information about the cisco-nsp
mailing list