Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Identifying DoS-attacked IP address(es)

  • From: Christopher L. Morrow
  • Date: Mon Dec 16 11:49:06 2002


On Mon, 16 Dec 2002, Andre Chapuis wrote:

> Chris,
> I often see the input-interface load is 100%.
> André

Ok, check the link Barry sent, there is some good info there... Input from
the customer is 100%? If this is the case the customer can tell you what
is being attacked, no? :)

Alternately, you can trim down what you log by first filtering like this:

access-l 100 permit tcp any any
access-l 100 permit icmp any any
access-l 100 permit udp any any
access-l 100 permit ip any any

int blah1/1
ip access-g 100 in

Check the counters to see what protocol is being flooded, then just log or
drop it, your choice. A 12000 puts all logging functionality on the line
card CPU, not the GRP CPU so the worst you'll do is overload the linecard
CPU and drop some packets on the other interfaces of that linecard
(only while you are logging that is)... So long as you don't log for an
extended period of time no one should notice, and you'll get the info you
require. Keep in mind how the syslog functions on a cisco: One entry for
an acl match then 5 min packet count updates to that if the matches are
the same. This means if hostA is udp flooding hostB on distinct ports only
one log entry will be seen for the first 5 mins, OR until you remove the
acl which clears out the log entries :) So, sometimes if nothing stands
out as being flooded you can remove the acl see a new log entry with
700000 packets matched :)

>
> At 16:35 16.12.2002 +0000, Christopher L. Morrow wrote:
>
> >On Mon, 16 Dec 2002, Andre Chapuis wrote:
> >
> >>
> >> Hi,
> >> How do you identify a DoS-attacked IP address(es) on your ingress border router, assuming the latter is a Cisco 12000 ? I used to use ip accounting but they removed it from the S-code.
> >
> >What info do you have when you are trying to accomplish this mission?
> >
> >> Thanks,
> >> André
> >>
> >>
> >> ---------------------
> >> Andre Chapuis
> >> IP+ Engineering
> >> Swisscom Ltd
> >> Genfergasse 14
> >> 3050 Bern
> >> +41 31 893 89 61
> >> chapuis@ip-plus.net
> >> CCIE #6023
> >> ----------------------
> >>
>
> ---------------------
> Andre Chapuis
> IP+ Engineering
> Swisscom Ltd
> Genfergasse 14
> 3050 Bern
> +41 31 893 89 61
> chapuis@ip-plus.net
> CCIE #6023
> ----------------------
>





Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.