DOS attack tracing

Tue May 10 00:10:00 UTC 2005

On Mon, May 09, 2005 at 01:35:06PM -1000, Richard wrote:

> We recently experienced several DOS attacks which drove our backbone
> routers CPU to 100%. The routers are not under attack, but the
> router just couldn't handle the traffic. There is a plan to upgrade
> these routers.

What kind of routers? We had problems like this with Cisco 7206VXRs
with NPE-300s at my last job because they just couldn't handle the
high volume of packets-per-second from certain types of attack.

> One criteria is the ability to track which IP address is under
> attack and blackhole the traffic quickly. Anyone can share your
> experience of what kind of router is capable of doing this?

Disclaimer: I'm not an expert on this stuff, and it's possible
(likely) that others on the list may have some other and / or better
suggestions.

Generally, I've seen this done by exporting flow data to another box,
and then analyzing this data. I've used ehnt (extremely happy netflow
tool) (http://ehnt.sourceforge.net/) to capture the flow data and
export it to an easily machine-parsable feed, then used a Perl script
to capture information on the top source / destination addresses. If
there's interest, I could see whether it's possible to get this code
and put it up somewhere (on an as-is basis) - the code was written by
Kenytt Avery at Willing Minds (willingminds.com).

We were keeping an ongoing log of such data, in case the router itself
took a crap.

On a Cisco router, you can also look at the raw cache flow data (sh ip
cache flow), which has some summary data at the top, and then data on
each flow. By rshing into the device and capturing this output, you have
access to some other data to futz around with in some sort of script.

So I'm not sure if there are any vendors which make it easy to figure
this out while logged into the device itself (or whether this is a
practical thing to do at all or something vendors are working on
implementing), but it is possible to do using tools like netflow.

w