On Tue, 30 Jul 2002 michael.dillon@radianz.com wrote:
That's the obvious solution to the problem if the problem is how to track down the source(s) of a DoS attack. However, in any DoS attack, there is always a victim and one or more devices sendingattack traffic to the victim. The owners of the attacking devices are accessories to the crime although I'm sure they could plead ignorance and avoid any liability. But what if they could not plead ignorance? What if we could identify some of theattacking devices, and what if the victim sent a legal "cease and desist" letter to the owners of the attacking devices? Now, the victim is in a position to sue the owners of these attacking devices if they don't fix the problem by securing their machines. And once this happens and gets some press coverage, a whole bunch of other machine owners will wake up and realize that they could be stuck with big legal bills if they don't secure their machines.
So, to restate the problem, how do we identify some of the sources of a DoS attack quickly, maybe even while the attack is still in progress?
Not a complete solution but a start: IP Source Tracker: http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120... Available as of 12.0(22)S for 7500 and 12000 series Cisco routers. -Hank