North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Identifying DoS-attacked IP address(es) Sniffer

  • From: Brennan_Murphy
  • Date: Mon Dec 16 19:27:10 2002

Even though you are asking this question with regard to what can
be done on the router itself, it's worth mentioning, if only for
the archives, a non-router approach to the problem...especially if
you are an enterprise network manager. It's even worth
mentioning despite the fact that I work for a company that provides
said approach.

Some of our enterprise customers place distributed Sniffers on their 
internet links themselves. Upon receiving an alert, they connect to the
and click on Top Ten talkers by bytes (presented in pie/bar chart).
On the left side of the screen are the source/destination pairs
generating the most traffic. Typically, top talkers are the culprits but
sometimes weak DOS attacks can hide among legitimate traffic, which
is why it's occasionally useful to check the Protocol Distribution
window. More sophisticated attacks sometimes require that you take a capture
of traffic and analyse packet level data. If it's a simple DOS, jot down 
the IP's involved and call your ISP or upstream provider with a filter
Near future versions of Sniffer will have IDS capabilities built in.
I've also seen a proof of concept tool that automates the filtering process
based on DDOS data and network thresholds. Obviously, there's lots of
cases where this is a problematic approach but I was impressed with the
tool's current intelligence...especially traceback analysis and filtering
at ingress. 

In any case, Sniffer isn't the only protocol analysis tool. Shop around if
a non-router approach interests you.  

-----Original Message-----
From: Andre Chapuis [mailto:[email protected]]
Sent: Monday, December 16, 2002 9:12 AM
To: [email protected]
Subject: Identifying DoS-attacked IP address(es)

How do you identify a DoS-attacked IP address(es) on your ingress border
router, assuming the latter is a Cisco 12000 ? I used to use ip accounting
but they removed it from the S-code.

Andre Chapuis
IP+ Engineering
Swisscom Ltd
Genfergasse 14
3050 Bern
+41 31 893 89 61
[email protected]
CCIE #6023