New Denial of Service Attack on Panix
Jonathan Heiliger
loco at isi.net
Tue Sep 17 06:51:43 UTC 1996
On Mon, 16 Sep 1996, Craig A. Huegen wrote:
|} Paul is correct; I left out the caveat that you have to go "hunting"
|} once you get to a multi-access media network.
I've already tossed most of the messages from this thread, but someone
mentioned using Cisco's flow statistics to track the attacker. Mark even
offered the URL to an analysis toolkit he's been working on.
After using either flow or accounting data to track down the attacker,
further flow data can be extracted to provide next hop and/or AS_path
information. AS_path could direct you to the final ISP or organization in
the path of the network address. (This doesn't take into account if the
attacker has hacked an account, etc. :) This should severely limited the
ammunition required to go hunting, but it does have the requirement of
using Cisco's NetFlow feature(s).
|} However, a good tool at this point becomes the monitor option/port
|} found on certain switches which will redirect traffic bound for a
|} certain port to also appear on the monitor port for sniffing. I don't
|} know if the GIGAswitches have such a monitoring option or port; if so,
|} cooperation from the various IXP operators would be a great help in
|} determining the hop.
I don't recall if the Gigaswitch supports this or not (a scan of the
"Manager's Guide" doesn't mention anything), but even if it did; each
port would have to be replicated independantly, eating alot of the IXP
operators' time.
Jonathan Heiliger \|/ _____ \|/ I S I
VP, Research & Development @~/ . . \~@ Internet Systems, Inc.
________________________________/_( \___/ )_\____________________________
\__U__/
E-Mail: loco at isi.net Phone: 415.943.2915
More information about the NANOG
mailing list