North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Ping flooding (fwd)
On Jul 9, 14:21, Curtis Villamizar <[email protected]> wrote: > The NSS routers allow us to do statistical sampling continuously and > the occurance of a source address at an entry point where it does not > usually enter can be detected and has in the past been used to > followup these sort of attacks after the fact. Other routers are not > capable of doing this but if the offense is repeated, successive > monitoring can be set up until the source is isolated. > > We have requested the same sort of statistical sampling from Cisco and > Bay (and BNR/NSC). It is a long ways back on the development schedule Maybe I'm missing something, but flow switching stats from Ciscos should do exactly this: SrcIf SrcIPaddress DstIf DstIPaddress Pr DstP SrcP Pkts B/Pk Active Se1/0 194.130.16.17 Se1/6 130.144.65.1 11 0035 0035 2 69 0.0 Et0/2 193.122.198.1 Se1/1 128.218.14.87 06 0050 0FA3 2 40 0.0 Se1/5 130.144.65.1 Se1/0 194.130.16.17 11 0035 0035 2 69 0.0 Se1/1 153.36.40.52 Et0/1 193.74.242.1 06 0413 0050 4 44 9.6 Se1/5 194.178.24.22 Se1/7 146.228.10.11 06 0407 0050 124 40 207.6 Se1/7 146.228.10.11 Se1/6 194.178.24.22 06 0050 0405 648 550 673.4 Se1/5 194.165.95.69 Se1/0 205.216.146.69 06 0430 0050 5 164 6.2 etc, etc. Dump, then grep. -- ------ ___ --- Per G. Bilse, Mgr Network Operations Ctr ----- / / / __ ___ _/_ ---- EUnet Communications Services B.V. ---- /--- / / / / /__/ / ----- Singel 540, 1017 AZ Amsterdam, NL --- /___ /__/ / / /__ / ------ tel: +31 20 6233803, fax: +31 20 6224657 --- ------- 24hr emergency number: +31 20 421 0865 --- Connecting Europe since 1982 --- http://www.EU.net e-mail: [email protected] - - - - - - - - - - - - - - - - -
|