Identifying DoS sources quickly (was: Bogon list or Dshield.org type list)

Hank Nussbacher hank at att.net.il
Tue Jul 30 15:46:56 UTC 2002


On Tue, 30 Jul 2002 michael.dillon at radianz.com wrote:

> That's the obvious solution to the problem if the problem is how to track
> down the source(s) of a DoS attack. However, in any DoS attack, there is
> always a victim and one or more devices sendingattack traffic to the
> victim. The owners of the attacking devices are accessories to the crime
> although I'm sure they could plead ignorance and avoid any liability. But
> what if they could not plead ignorance? What if we could identify some of
> theattacking devices, and what if the victim sent a legal "cease and
> desist" letter to the owners of the attacking devices? Now, the victim is
> in a position to sue the owners of these attacking devices if they don't
> fix the problem by securing their machines. And once this happens and gets
> some press coverage, a whole bunch of other machine owners will wake up
> and realize that they could be stuck with big legal bills if they don't
> secure their machines.
> 
> So, to restate the problem, how do we identify some of the sources of a
> DoS attack quickly, maybe even while the attack is still in progress?

Not a complete solution but a start:
IP Source Tracker:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s21/ipst.htm

Available as of 12.0(22)S for 7500 and 12000 series Cisco routers.

-Hank







More information about the NANOG mailing list