North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: New Denial of Service Attack on Panix

  • From: Craig A. Huegen
  • Date: Tue Sep 17 00:08:29 1996

On Mon, 16 Sep 1996, Paul A Vixie wrote:

==>If Cisco routers had TCPDUMP capability this would be a lot simpler.  If
==>all the routers in the universe had TCPDUMP, and all the router operators
==>had eachother's phone numbers, we could track this to the source in less
==>than five minutes.  Alas, the misfit teenagers of the underworld have
==>caught us without any of the tools we need be able to track this down.

cisco routers do have tcpdump capability.

lab-2503#debug ip packet detail ?
  <1-199>  Access list
  <cr>

You can show all IP packets flowing through the router (with source
address/port/interface, dest address/port/interface, flags, sequence
number, and window size; or limit it based on an access-list (which you'd
want to do in case of a very busy router).  Based on the source interface,
you'd trace it to the next link, and go back from there.

The debug output looks like this:

IP: s=172.30.119.242 (Ethernet0), d=204.245.15.11 (BRI0), g=172.30.112.129, len 60, forward
    TCP src=1059, dst=80, seq=74416335, ack=0, win=8192 SYN

Translation:

A packet sourced from 172.30.19.242 which came in on ethernet0, had a
destination of 204.245.15.11.  The route-table lookup says our next hop is
not directly connected (hence the g=172.30.12.129), and sent it out to
172.30.12.129 via interface BRI0.  It was a TCP packet with source port of
1059, destination port of 80, sequence number of 74416335, wasn't ACKing
any packet, had a window size of 8192 bytes, and had the SYN flag on.

This helps tremendously in tracking down bogus packets (as long as the
hacker keeps the attack up long enough for you to determine the edge of
the network/the next provider in the attack).

/cah

----
Craig A. Huegen  CCIE #2100                       ||        ||
Network Analyst, IS-Network/Telecom               ||        ||
cisco Systems, Inc., 250 West Tasman Drive       ||||      ||||
San Jose, CA  95134, (408) 526-8104          ..:||||||:..:||||||:..
email: [email protected]                    c i s c o  S y s t e m s


- - - - - - - - - - - - - - - - -