nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Identifying DoS sources quickly (was: Bogon list or Dshield.org type list)

From: Hank Nussbacher <hank () att net il>
Date: Tue, 30 Jul 2002 18:46:56 +0300 (IDT)

On Tue, 30 Jul 2002 michael.dillon () radianz com wrote:


That's the obvious solution to the problem if the problem is how to track
down the source(s) of a DoS attack. However, in any DoS attack, there is
always a victim and one or more devices sendingattack traffic to the
victim. The owners of the attacking devices are accessories to the crime
although I'm sure they could plead ignorance and avoid any liability. But
what if they could not plead ignorance? What if we could identify some of
theattacking devices, and what if the victim sent a legal "cease and
desist" letter to the owners of the attacking devices? Now, the victim is
in a position to sue the owners of these attacking devices if they don't
fix the problem by securing their machines. And once this happens and gets
some press coverage, a whole bunch of other machine owners will wake up
and realize that they could be stuck with big legal bills if they don't
secure their machines.

So, to restate the problem, how do we identify some of the sources of a
DoS attack quickly, maybe even while the attack is still in progress?


Not a complete solution but a start:
IP Source Tracker:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s21/ipst.htm

Available as of 12.0(22)S for 7500 and 12000 series Cisco routers.

-Hank
Previous By Date Next
Previous By Thread Next

Current thread: