Identifying DoS-attacked IP address(es)

neilmcrae · December 16, 2002, 5:38pm

Sampled netflow, or look at the traceback stuff in later
IOS 12.0S versions. Avoid filter lists as the GSR engine cards
have a statically limited number of entries.

Regards,
Neil.

Christopher_L_Morrow · December 16, 2002, 7:02pm

if something is being attacked it'll show in the 'statically limited'
listing, trust me... this is how we do it all day, every day...

Livio_Ricciulli · December 16, 2002, 9:13pm

FYI, we developed a system that sniffs FE,GE,DS3,OC3-48 POS and creates
a model using the cross-product of:
1) source/destination address distributions
2) packet rate
3) protocol

This works very well to detect floods and does not require messing with
routers..

Livio.

Christopher_L_Morrow · December 16, 2002, 9:17pm

FYI, we developed a system that sniffs FE,GE,DS3,OC3-48 POS and creates
a model using the cross-product of:
1) source/destination address distributions
2) packet rate
3) protocol

But I can't field deploy this 2 continents away at 4am with 10 mins
notice...

James_Edwards · December 16, 2002, 9:57pm

I am wondering how much help backbone providers give in
identifying sources of a DoS and deciding what ACL's or
rate-limits need to be placed to bring a DoS under control,
for their downstream clients. (Assuming it is their
downstream clients that are being DoS'ed).
I realize this will vary from provider to provider, I am
just seeking peoples experiences with this issue.

James Edwards
jamesh@cybermesa.com
At the Santa Fe Office: Internet at Cyber Mesa
Store hours: 9-6 Monday through Friday
Phone support 365 days till 10 pm via the Santa Fe office:
505-988-9200

Christopher_L_Morrow · December 16, 2002, 10:12pm

I am wondering how much help backbone providers give in
identifying sources of a DoS and deciding what ACL's or
rate-limits need to be placed to bring a DoS under control,

I'm sure you can look in the archives of this list for messages from me
about this very thing... In short: "Every ISP should have 24/7 security
support for customers under attack." That support should include, acls,
null routes, tracking the attack to the ingress. Rarely do rate-limits do
any good in the case of DoS attacks... (this part is a debate for another
thread)

for their downstream clients. (Assuming it is their
downstream clients that are being DoS'ed).
I realize this will vary from provider to provider, I am
just seeking peoples experiences with this issue.

it may vary, but there really should be an expected minimum standard.

Valdis_Kletnieks · December 16, 2002, 10:29pm

But that's OK, since you deployed it in last week's maintenance window, to
comply with the upper management requirement that they be given advance
notice of all unscheduled outages.

But seriously - if you had a HandWave 2100 already installed 2 continents
away, would interrogating/tweaking/etc the model at 4AM with 10 minutes
notice be feasible?

(And yes, I know Chris probably has some tools in place before the fact -
the question is how many of the REST of you do?)

James_Edwards · December 16, 2002, 10:38pm

I'm sure you can look in the archives of this list for

messages from me

about this very thing... In short: "Every ISP should

have 24/7 security

support for customers under attack." That support should

include, acls,

null routes, tracking the attack to the ingress. Rarely do

rate-limits do

any good in the case of DoS attacks... (this part is a

debate for another

thread)

Yes, we have those ready to go. And tools like Snort/Spade
and Net Flow to identify the problem
and suggest ACL's and null routes, ect. My question is more
about an upstream provider for an ISP
(I was calling this backbone). Clearly UU has a system well
in place but I would like to hear others experiences
with their upstream providers and DoS's. I know what kind of
help me upstreams will provide, as I have asked,
I am just trying to get a feel for others experiences.

James Edwards
jamesh@cybermesa.com
At the Santa Fe Office: Internet at Cyber Mesa
Store hours: 9-6 Monday through Friday
Phone support 365 days till 10 pm via the Santa Fe office:
505-988-9200

Livio_Ricciulli · December 16, 2002, 11:30pm

Yes, there needs to be some up-front investment to proactively deploy these
boxes/taps in strategic places. I did some analysis and the numbers are doable even
for the largest networks.

But then we get into philosophy; I have a lot of screwdrivers at home laying around but
I would much rather invest in chisels rather than keep trying carving wood with flathead
screwdrivers (but that's just me..)

Livio.

Feger_James · December 16, 2002, 11:50pm

AT&T also does the basics. ACL's, null routes, tracking back to ingress.

-james

Christopher_L_Morrow · December 17, 2002, 12:28am

AT&T also does the basics. ACL's, null routes, tracking back to ingress.

as does sprint and C&W. MFN can sometimes help, depends on who you talk to
as I recall, and Verio is quick to fix problems... L3 had some problems in
the past, my last experience with them was 'ok' though not stellar. I'm
having a bit of trouble getting more off the top of my head, aside from
the George Mason Computer group that just unplugged a machine in a dorm
for me