Identifying DoS-attacked IP address(es)
Christopher L. Morrow
chris at UU.NET
Mon Dec 16 21:17:07 UTC 2002
On Mon, 16 Dec 2002, Livio Ricciulli wrote:
> FYI, we developed a system that sniffs FE,GE,DS3,OC3-48 POS and creates
> a model using the cross-product of:
> 1) source/destination address distributions
> 2) packet rate
> 3) protocol
But I can't field deploy this 2 continents away at 4am with 10 mins
notice...
>
> This works very well to detect floods and does not require messing with
> routers..
>
> Livio.
>
> -----Original Message-----
> From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf Of
> Neil J. McRae
> Sent: Monday, December 16, 2002 9:38 AM
> To: Andre Chapuis
> Cc: Christopher L. Morrow; nanog at nanog.org
> Subject: Re: Identifying DoS-attacked IP address(es)
>
>
> Sampled netflow, or look at the traceback stuff in later
> IOS 12.0S versions. Avoid filter lists as the GSR engine cards
> have a statically limited number of entries.
>
> Regards,
> Neil.
>
More information about the NANOG
mailing list