Paul A Vixie writes:
If Cisco routers had TCPDUMP capability this would be a lot simpler. If
all the routers in the universe had TCPDUMP, and all the router operators
had eachother's phone numbers, we could track this to the source in less
than five minutes. Alas, the misfit teenagers of the underworld have
caught us without any of the tools we need be able to track this down.
The attacks will show up in Cisco netflow switching exports though.
ftp://ftp.net.ohio-state.edu/users/maf/priv/flow.tar is the start
of a toolkit.