RE: DOS attack tracing

["Richard" <richard () o-matrix org>]

> On Mon, May 09, 2005 at 01:35:06PM -1000, Richard wrote:
>
> > We recently experienced several DOS attacks which drove our backbone
> > routers CPU to 100%. The routers are not under attack, but the
> > router just couldn't handle the traffic. There is a plan to upgrade
> > these routers.
>
> What kind of routers? We had problems like this with Cisco 7206VXRs
> with NPE-300s at my last job because they just couldn't handle the
> high volume of packets-per-second from certain types of attack.
Oh... I guess that it would a known issue then... we have the exactly same
type of routers. Our routers normally run at 35% CPU. What sucks is that the
traffic volume doesn't have to be very high to bring down the router.

> On a Cisco router, you can also look at the raw cache flow data (sh ip
> cache flow), which has some summary data at the top, and then data on
> each flow. By rshing into the device and capturing this output, you have
> access to some other data to futz around with in some sort of script.
>
> So I'm not sure if there are any vendors which make it easy to figure
> this out while logged into the device itself (or whether this is a
> practical thing to do at all or something vendors are working on
> implementing), but it is possible to do using tools like netflow.
So far we manually login to the router and use 'sh ip cache flow' on the
router. It is ok, but not very effective. First when the router is slow to a
halt, it is not even possible to the run the command most of the time.
Secondly reading through the output and figuring out what's going on is not
an easy task. I will definitely look into the tools to automate this
process. Appreciate your suggestion. Just wonder if any router vendor has
any built-in tools.

Thanks,
Richard