On Mon, 16 Dec 2002, Andre Chapuis wrote:
Chris, I often see the input-interface load is 100%. Andr�
Ok, check the link Barry sent, there is some good info there... Input from the customer is 100%? If this is the case the customer can tell you what is being attacked, no? :) Alternately, you can trim down what you log by first filtering like this: access-l 100 permit tcp any any access-l 100 permit icmp any any access-l 100 permit udp any any access-l 100 permit ip any any int blah1/1 ip access-g 100 in Check the counters to see what protocol is being flooded, then just log or drop it, your choice. A 12000 puts all logging functionality on the line card CPU, not the GRP CPU so the worst you'll do is overload the linecard CPU and drop some packets on the other interfaces of that linecard (only while you are logging that is)... So long as you don't log for an extended period of time no one should notice, and you'll get the info you require. Keep in mind how the syslog functions on a cisco: One entry for an acl match then 5 min packet count updates to that if the matches are the same. This means if hostA is udp flooding hostB on distinct ports only one log entry will be seen for the first 5 mins, OR until you remove the acl which clears out the log entries :) So, sometimes if nothing stands out as being flooded you can remove the acl see a new log entry with 700000 packets matched :)
At 16:35 16.12.2002 +0000, Christopher L. Morrow wrote:
On Mon, 16 Dec 2002, Andre Chapuis wrote:
Hi, How do you identify a DoS-attacked IP address(es) on your ingress border router, assuming the latter is a Cisco 12000 ? I used to use ip accounting but they removed it from the S-code.
What info do you have when you are trying to accomplish this mission?
Thanks, Andr�
--------------------- Andre Chapuis IP+ Engineering Swisscom Ltd Genfergasse 14 3050 Bern +41 31 893 89 61 chapuis@ip-plus.net CCIE #6023 ----------------------
--------------------- Andre Chapuis IP+ Engineering Swisscom Ltd Genfergasse 14 3050 Bern +41 31 893 89 61 chapuis@ip-plus.net CCIE #6023 ----------------------