Ping flooding (fwd)
Per Gregers Bilse
bilse at EU.net
Tue Jul 9 19:07:42 UTC 1996
On Jul 9, 14:21, Curtis Villamizar <curtis at ans.net> wrote:
> The NSS routers allow us to do statistical sampling continuously and
> the occurance of a source address at an entry point where it does not
> usually enter can be detected and has in the past been used to
> followup these sort of attacks after the fact. Other routers are not
> capable of doing this but if the offense is repeated, successive
> monitoring can be set up until the source is isolated.
>
> We have requested the same sort of statistical sampling from Cisco and
> Bay (and BNR/NSC). It is a long ways back on the development schedule
Maybe I'm missing something, but flow switching stats from Ciscos
should do exactly this:
SrcIf SrcIPaddress DstIf DstIPaddress Pr DstP SrcP Pkts B/Pk Active
Se1/0 194.130.16.17 Se1/6 130.144.65.1 11 0035 0035 2 69 0.0
Et0/2 193.122.198.1 Se1/1 128.218.14.87 06 0050 0FA3 2 40 0.0
Se1/5 130.144.65.1 Se1/0 194.130.16.17 11 0035 0035 2 69 0.0
Se1/1 153.36.40.52 Et0/1 193.74.242.1 06 0413 0050 4 44 9.6
Se1/5 194.178.24.22 Se1/7 146.228.10.11 06 0407 0050 124 40 207.6
Se1/7 146.228.10.11 Se1/6 194.178.24.22 06 0050 0405 648 550 673.4
Se1/5 194.165.95.69 Se1/0 205.216.146.69 06 0430 0050 5 164 6.2
etc, etc. Dump, then grep.
--
------ ___ --- Per G. Bilse, Mgr Network Operations Ctr
----- / / / __ ___ _/_ ---- EUnet Communications Services B.V.
---- /--- / / / / /__/ / ----- Singel 540, 1017 AZ Amsterdam, NL
--- /___ /__/ / / /__ / ------ tel: +31 20 6233803, fax: +31 20 6224657
--- ------- 24hr emergency number: +31 20 421 0865
--- Connecting Europe since 1982 --- http://www.EU.net e-mail: bilse at EU.net
More information about the NANOG
mailing list