Identifying DoS-attacked IP address(es) Sniffer

Brennan_Murphy at Brennan_Murphy at
Tue Dec 17 00:29:12 UTC 2002

Even though you are asking this question with regard to what can
be done on the router itself, it's worth mentioning, if only for
the archives, a non-router approach to the problem...especially if
you are an enterprise network manager. It's even worth
mentioning despite the fact that I work for a company that provides
said approach.

Some of our enterprise customers place distributed Sniffers on their 
internet links themselves. Upon receiving an alert, they connect to the
and click on Top Ten talkers by bytes (presented in pie/bar chart).
On the left side of the screen are the source/destination pairs
generating the most traffic. Typically, top talkers are the culprits but
sometimes weak DOS attacks can hide among legitimate traffic, which
is why it's occasionally useful to check the Protocol Distribution
window. More sophisticated attacks sometimes require that you take a capture
of traffic and analyse packet level data. If it's a simple DOS, jot down 
the IP's involved and call your ISP or upstream provider with a filter
Near future versions of Sniffer will have IDS capabilities built in.
I've also seen a proof of concept tool that automates the filtering process
based on DDOS data and network thresholds. Obviously, there's lots of
cases where this is a problematic approach but I was impressed with the
tool's current intelligence...especially traceback analysis and filtering
at ingress. 

In any case, Sniffer isn't the only protocol analysis tool. Shop around if
a non-router approach interests you.  

-----Original Message-----
From: Andre Chapuis [mailto:chapuis at]
Sent: Monday, December 16, 2002 9:12 AM
To: nanog at
Subject: Identifying DoS-attacked IP address(es)

How do you identify a DoS-attacked IP address(es) on your ingress border
router, assuming the latter is a Cisco 12000 ? I used to use ip accounting
but they removed it from the S-code.

Andre Chapuis
IP+ Engineering
Swisscom Ltd
Genfergasse 14
3050 Bern
+41 31 893 89 61
chapuis at
CCIE #6023

More information about the NANOG mailing list