Even though you are asking this question with regard to what can be done on the router itself, it's worth mentioning, if only for the archives, a non-router approach to the problem...especially if you are an enterprise network manager. It's even worth mentioning despite the fact that I work for a company that provides said approach. Some of our enterprise customers place distributed Sniffers on their internet links themselves. Upon receiving an alert, they connect to the Sniffer and click on Top Ten talkers by bytes (presented in pie/bar chart). On the left side of the screen are the source/destination pairs generating the most traffic. Typically, top talkers are the culprits but sometimes weak DOS attacks can hide among legitimate traffic, which is why it's occasionally useful to check the Protocol Distribution window. More sophisticated attacks sometimes require that you take a capture of traffic and analyse packet level data. If it's a simple DOS, jot down the IP's involved and call your ISP or upstream provider with a filter request. Near future versions of Sniffer will have IDS capabilities built in. I've also seen a proof of concept tool that automates the filtering process based on DDOS data and network thresholds. Obviously, there's lots of cases where this is a problematic approach but I was impressed with the tool's current intelligence...especially traceback analysis and filtering at ingress. In any case, Sniffer isn't the only protocol analysis tool. Shop around if a non-router approach interests you. -----Original Message----- From: Andre Chapuis [mailto:chapuis@ip-plus.net] Sent: Monday, December 16, 2002 9:12 AM To: nanog@nanog.org Subject: Identifying DoS-attacked IP address(es) Hi, How do you identify a DoS-attacked IP address(es) on your ingress border router, assuming the latter is a Cisco 12000 ? I used to use ip accounting but they removed it from the S-code. Thanks, André --------------------- Andre Chapuis IP+ Engineering Swisscom Ltd Genfergasse 14 3050 Bern +41 31 893 89 61 chapuis@ip-plus.net CCIE #6023 ----------------------