North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Identifying DoS-attacked IP address(es)

  • From: Livio Ricciulli
  • Date: Mon Dec 16 15:10:26 2002

FYI, we developed a system that sniffs FE,GE,DS3,OC3-48 POS and creates
a model using the cross-product of: 
1) source/destination address distributions 
2) packet rate 
3) protocol

This works very well to detect floods and does not require messing with


-----Original Message-----
From: [email protected] [mailto:[email protected]] On Behalf Of
Neil J. McRae
Sent: Monday, December 16, 2002 9:38 AM
To: Andre Chapuis
Cc: Christopher L. Morrow; [email protected]
Subject: Re: Identifying DoS-attacked IP address(es)

Sampled netflow, or look at the traceback stuff in later
IOS 12.0S versions.  Avoid filter lists as the GSR engine cards
have a statically limited number of entries.