Security Incidents mailing list archives
RE: DDoS attack.
From: "Boyan Krosnov" <bkrosnov () lirex bg>
Date: Fri, 25 Jan 2002 23:15:01 +0200
-----Original Message----- From: Glenn Forbes Fleming Larratt [mailto:glratt () rice edu] Sent: Friday, January 25, 2002 9:05 PM To: Daniel F. Chief Security Engineer - Cc: incidents () securityfocus com Subject: Re: DDoS attack. A "tcpdump -ner" will show you the MAC address or addresses your tcpdump host sees for this traffic. That address or addresses will either belong to the source host, or a core router through which it came. If it's a router, you'll need to trace back to which network on the other side of it, and iterate as necessary. A portable tcpdump host would come in handy to do so.
Other handy tools are the switched port analiser (SPAN) feature(cisco) or port/vlan mirroring (other vendors) of managable switches. If these are not avalable $20 ethernet hubs help a lot :) Also any graphical statistics like mrtg on routers or managable switches ports do help in tracing a DoS of more than 1500 packets/second. About the tcpdump, if the attack comes and goes it helps to write the first say 100 bytes of each packet to a file, so that you can review what has traversed the path you are monitoring later. like tcpdump -w <filename> -s 100 <expr>. And it is not a big problem with today's cheap hard disks.
If it's a Cisco router, you might look into deploying the per-interface command "ip verify unicast reverse-path" (I think - I may have misremembered the syntax), which automatically prevents spoofing beyond the scope of the LAN segment. Check this command out at www.cisco.com .
the sintax is correct, the command requires cef to be running on the interface on which you enable it, which may not be possible with some old routers and software. It limits the scope of spoofing to some degree, but I've seen bad people come around it by changing the source address only inside the range of the permitted hosts. Regards, Boyan ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- DDoS attack. Daniel F. Chief Security Engineer - (Jan 25)
- Re: DDoS attack. Glenn Forbes Fleming Larratt (Jan 25)
- Re: DDoS attack. Daniel F. Chief Security Engineer - (Jan 25)
- Re: DDoS attack. Bugtraq Mailing Lists (Jan 27)
- Re: DDoS attack. Stanislav N. Vardomskiy (Jan 28)
- Re: DDoS attack. Patrick Oonk (Jan 28)
- Re: DDoS attack. Wichert Akkerman (Jan 28)
- Re: DDoS attack. Stanislav N. Vardomskiy (Jan 28)
- <Possible follow-ups>
- Re: DDoS attack. Neil Dickey (Jan 25)
- RE: DDoS attack. Boyan Krosnov (Jan 25)
- Re: DDoS attack. Glenn Forbes Fleming Larratt (Jan 25)