Even though you are asking this question with regard to what can
be done on the router itself, it's worth mentioning, if only for
the archives, a non-router approach to the problem...especially if
you are an enterprise network manager. It's even worth
mentioning despite the fact that I work for a company that provides
Some of our enterprise customers place distributed Sniffers on their
internet links themselves. Upon receiving an alert, they connect to the
and click on Top Ten talkers by bytes (presented in pie/bar chart).
On the left side of the screen are the source/destination pairs
generating the most traffic. Typically, top talkers are the culprits but
sometimes weak DOS attacks can hide among legitimate traffic, which
is why it's occasionally useful to check the Protocol Distribution
window. More sophisticated attacks sometimes require that you take a capture
of traffic and analyse packet level data. If it's a simple DOS, jot down
the IP's involved and call your ISP or upstream provider with a filter
Near future versions of Sniffer will have IDS capabilities built in.
I've also seen a proof of concept tool that automates the filtering process
based on DDOS data and network thresholds. Obviously, there's lots of
cases where this is a problematic approach but I was impressed with the
tool's current intelligence...especially traceback analysis and filtering
In any case, Sniffer isn't the only protocol analysis tool. Shop around if
a non-router approach interests you.