So.. you want to track some DoS traffic?

• Previous message (by thread): Exodus Down
• Next message (by thread): So.. you want to track some DoS traffic?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

First off, everyone already should know that these views are mine, not
UUNET/WCOM/UUcom's... 

Ok, with the recent craziness on NANOG about DoS Attacks, spoofed packets,
tracking attacks and other DoS related junk I figured I'd post out a
quicky tracking method that does NOT require hop-by-hop tracking.  This
method works will pretty much all spoofed attacks (synfloods/smurfs for
instance).

A brief overview of the method would be: "Track the attack from the after
effect of the attack, not the attack itself"

A link to the details, which includes cut/paste router config bits for
Cisco and Juniper routers. I'd include other router vendor cut/paste but I
only had time to figure out the two included... if someone wants to post
proper other configs (verified hopefully) I'll add them in also.

Link: http://www.secsup.org/Tracking/

Credit: Credit should go to those listed in the link, UUNET's TAC-Eng
group, UUNET's Net-Sec group, UUNET's Customer Router Security Group,
dies at pulltheplug.com and a few others I have forgotten.

The goal of posting this info out to NANOG is to get other backbone's to
implement this so attacks can be traced in less time and with less effort
by all parties. I can succesfully track an attack across my backbone in
under 2 minutes with this method where the hop-by-hop has taken me over 8
hours in extreme circumstances (as Paul Vixie can attest since he waited
on the call while I did it).

Suggestions for improvement or deletions to these procedures would be
welcome as well. 

Thanks,

--Chris
(chris at uu.net)

• Previous message (by thread): Exodus Down
• Next message (by thread): So.. you want to track some DoS traffic?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]