[j-nsp] netflow/Tracking DDoS
Eric Whitehill
Eric.Whitehill at onvoy.com
Wed Apr 14 17:02:21 EDT 2004
G'day!
Over the last couple of days, I've been attempting to track down a nasty little DDoS attack which has been occuring on and off against a customer of mine. I'm mainly a cisco guy, but the attacks the customer has been getting are increasing in size and amount, and I just can't put an ACL/netflow on any sort of Cisco (up to 20,000 pps, and filling an OC-3).
I have an idea of what /20 the attack is destined for, but I just can't prove it. I'd be working on M10's, version 5.7R2.4. I was thinking of doing some sort of policy map, but I'm not sure enough on how to do it. Should I attempt to do something through firewall? I would like to figure out the destination for the attack, and what packets it is consisting of. I have been able to do a rate limit on several of the major targets (ICMP, port 135 bombs, etc) from my C-brand routers, but nothing seems to catch it.
I'm not very Juniper savvy yet (working my way there!) so any assistance would be helpful, and at the next Nanog I see you at, if it works, I'll buy you a beer.
-Eric
--
Eric Whitehill - 44.58.39N, 93.15.56W
Onvoy - ericw at onvoy.com - ASN5006
"Out the Gig-E, through the router, down the OC-12's, over the leased line, off the bridge, past the firewall...nothing but Net."
More information about the juniper-nsp
mailing list