Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Identifying DoS-attacked IP addresses)

  • From: Pena, Antonio
  • Date: Mon Dec 16 10:08:23 2002

Hello Andre

The best way we use to identify DOS attacks is measuring and monitoring the backbone circuits the packets/second in and out, normally most of the DOS attacks generated a lot of packets/second, in our case we created an alarm that sends an email and page each time any of our backbone circuits exceed 17000 Packets/second, second alarm when packets exceed 20k using Intermapper 3.6 and SNMP.

After this is you are using the Cisco 12000 is no problem to try of detect the type of traffic using Extended Access-list and sending to the loggin for 15-20 seconds and then look for ICMP, UDP and TCP, in our case we found 7 of ten DOS attacks target IP's and only 10% are coming from known sources, most of the attacks used smurfed sources.


Antonio J. Pena
Senior Manager, Network Engineering
(  /_ _ _  __/_ _ 
|_/(-/ (-_) /(//  
Verestar, inc.
3040 Williams, Dr Suite 100
Fairfax, VA, 22031
Phone (703)206-9000
Direct (571)226-5772
Fax (703) 573-3522

-----Original Message-----
From: Andre Chapuis []
Sent: Monday, December 16, 2002 9:12 AM
Subject: Identifying DoS-attacked IP address(es)

How do you identify a DoS-attacked IP address(es) on your ingress border router, assuming the latter is a Cisco 12000 ? I used to use ip accounting but they removed it from the S-code.

Andre Chapuis
IP+ Engineering
Swisscom Ltd
Genfergasse 14
3050 Bern
+41 31 893 89 61
CCIE #6023

Discussion Communities

About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home

Merit Network, Inc.