Identifying DoS-attacked IP address(es)

• Previous message (by thread): Identifying DoS-attacked IP address(es)
• Next message (by thread): Identifying DoS-attacked IP address(es)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 16 Dec 2002, Andre Chapuis wrote:

> Chris,
> I often see the input-interface load is 100%.
> André

Ok, check the link Barry sent, there is some good info there... Input from
the customer is 100%? If this is the case the customer can tell you what
is being attacked, no? :)

Alternately, you can trim down what you log by first filtering like this:

access-l 100 permit tcp any any
access-l 100 permit icmp any any
access-l 100 permit udp any any
access-l 100 permit ip any any

int blah1/1
ip access-g 100 in

Check the counters to see what protocol is being flooded, then just log or
drop it, your choice. A 12000 puts all logging functionality on the line
card CPU, not the GRP CPU so the worst you'll do is overload the linecard
CPU and drop some packets on the other interfaces of that linecard
(only while you are logging that is)... So long as you don't log for an
extended period of time no one should notice, and you'll get the info you
require. Keep in mind how the syslog functions on a cisco: One entry for
an acl match then 5 min packet count updates to that if the matches are
the same. This means if hostA is udp flooding hostB on distinct ports only
one log entry will be seen for the first 5 mins, OR until you remove the
acl which clears out the log entries :) So, sometimes if nothing stands
out as being flooded you can remove the acl see a new log entry with
700000 packets matched :)

>
> At 16:35 16.12.2002 +0000, Christopher L. Morrow wrote:
>
> >On Mon, 16 Dec 2002, Andre Chapuis wrote:
> >
> >>
> >> Hi,
> >> How do you identify a DoS-attacked IP address(es) on your ingress border router, assuming the latter is a Cisco 12000 ? I used to use ip accounting but they removed it from the S-code.
> >
> >What info do you have when you are trying to accomplish this mission?
> >
> >> Thanks,
> >> André
> >>
> >>
> >> ---------------------
> >> Andre Chapuis
> >> IP+ Engineering
> >> Swisscom Ltd
> >> Genfergasse 14
> >> 3050 Bern
> >> +41 31 893 89 61
> >> chapuis at ip-plus.net
> >> CCIE #6023
> >> ----------------------
> >>
>
> ---------------------
> Andre Chapuis
> IP+ Engineering
> Swisscom Ltd
> Genfergasse 14
> 3050 Bern
> +41 31 893 89 61
> chapuis at ip-plus.net
> CCIE #6023
> ----------------------
>

• Previous message (by thread): Identifying DoS-attacked IP address(es)
• Next message (by thread): Identifying DoS-attacked IP address(es)
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]