So.. you want to track some DoS traffic?
First off, everyone already should know that these views are mine, not UUNET/WCOM/UUcom's... Ok, with the recent craziness on NANOG about DoS Attacks, spoofed packets, tracking attacks and other DoS related junk I figured I'd post out a quicky tracking method that does NOT require hop-by-hop tracking. This method works will pretty much all spoofed attacks (synfloods/smurfs for instance). A brief overview of the method would be: "Track the attack from the after effect of the attack, not the attack itself" A link to the details, which includes cut/paste router config bits for Cisco and Juniper routers. I'd include other router vendor cut/paste but I only had time to figure out the two included... if someone wants to post proper other configs (verified hopefully) I'll add them in also. Link: http://www.secsup.org/Tracking/ Credit: Credit should go to those listed in the link, UUNET's TAC-Eng group, UUNET's Net-Sec group, UUNET's Customer Router Security Group, dies@pulltheplug.com and a few others I have forgotten. The goal of posting this info out to NANOG is to get other backbone's to implement this so attacks can be traced in less time and with less effort by all parties. I can succesfully track an attack across my backbone in under 2 minutes with this method where the hop-by-hop has taken me over 8 hours in extreme circumstances (as Paul Vixie can attest since he waited on the call while I did it). Suggestions for improvement or deletions to these procedures would be welcome as well. Thanks, --Chris (chris@uu.net)
participants (1)
-
Christopher L. Morrow