Re: Ping flooding (fwd)

[Per Gregers Bilse <bilse () EU net>]

On Jul 9, 14:21, Curtis Villamizar <curtis () ans net> wrote:
> The NSS routers allow us to do statistical sampling continuously and
> the occurance of a source address at an entry point where it does not
> usually enter can be detected and has in the past been used to
> followup these sort of attacks after the fact.  Other routers are not
> capable of doing this but if the offense is repeated, successive
> monitoring can be set up until the source is isolated.
>
> We have requested the same sort of statistical sampling from Cisco and
> Bay (and BNR/NSC).  It is a long ways back on the development schedule

Maybe I'm missing something, but flow switching stats from Ciscos
should do exactly this:

SrcIf    SrcIPaddress    DstIf    DstIPaddress    Pr DstP SrcP Pkts B/Pk Active
Se1/0    194.130.16.17   Se1/6    130.144.65.1    11 0035 0035    2   69    0.0
Et0/2    193.122.198.1   Se1/1    128.218.14.87   06 0050 0FA3    2   40    0.0
Se1/5    130.144.65.1    Se1/0    194.130.16.17   11 0035 0035    2   69    0.0
Se1/1    153.36.40.52    Et0/1    193.74.242.1    06 0413 0050    4   44    9.6
Se1/5    194.178.24.22   Se1/7    146.228.10.11   06 0407 0050  124   40  207.6
Se1/7    146.228.10.11   Se1/6    194.178.24.22   06 0050 0405  648  550  673.4
Se1/5    194.165.95.69   Se1/0    205.216.146.69  06 0430 0050    5  164    6.2

etc, etc.  Dump, then grep.

-- 
------ ___                        --- Per G. Bilse, Mgr Network Operations Ctr
----- /     /  /   __   ___  _/_ ---- EUnet Communications Services B.V.
---- /---  /  /  /  /  /__/  /  ----- Singel 540, 1017 AZ Amsterdam, NL
--- /___  /__/  /  /  /__   /  ------ tel: +31 20 6233803, fax: +31 20 6224657
---                           ------- 24hr emergency number: +31 20 421 0865
--- Connecting Europe since 1982  --- http://www.EU.net  e-mail: bilse () EU net
- - - - - - - - - - - - - - - - -