RE: Identifying DoS-attacked IP address(es) Sniffer

Murphy_Brennan · December 17, 2002, 12:29am

Even though you are asking this question with regard to what can
be done on the router itself, it's worth mentioning, if only for
the archives, a non-router approach to the problem...especially if
you are an enterprise network manager. It's even worth
mentioning despite the fact that I work for a company that provides
said approach.

Some of our enterprise customers place distributed Sniffers on their
internet links themselves. Upon receiving an alert, they connect to the
Sniffer
and click on Top Ten talkers by bytes (presented in pie/bar chart).
On the left side of the screen are the source/destination pairs
generating the most traffic. Typically, top talkers are the culprits but
sometimes weak DOS attacks can hide among legitimate traffic, which
is why it's occasionally useful to check the Protocol Distribution
window. More sophisticated attacks sometimes require that you take a capture
of traffic and analyse packet level data. If it's a simple DOS, jot down
the IP's involved and call your ISP or upstream provider with a filter
request.
Near future versions of Sniffer will have IDS capabilities built in.
I've also seen a proof of concept tool that automates the filtering process
based on DDOS data and network thresholds. Obviously, there's lots of
cases where this is a problematic approach but I was impressed with the
tool's current intelligence...especially traceback analysis and filtering
at ingress.

In any case, Sniffer isn't the only protocol analysis tool. Shop around if
a non-router approach interests you.

Alex_Yuriev2 · December 17, 2002, 12:52am

Even though you are asking this question with regard to what can
be done on the router itself, it's worth mentioning, if only for
the archives, a non-router approach to the problem...especially if
you are an enterprise network manager. It's even worth
mentioning despite the fact that I work for a company that provides
said approach.

Some of our enterprise customers place distributed Sniffers on their
internet links themselves. Upon receiving an alert, they connect to the
Sniffer
and click on Top Ten talkers by bytes (presented in pie/bar chart).

[skip]

You want to put a box like this to analyze and dozen OC-12c(s)? I know that
the sales people for boxes like this right now are really hurting for
business but give us a break.

Alex

Livio_Ricciulli · December 17, 2002, 11:02am

You want to put a box like this to analyze and dozen OC-12c(s)? I know that

the sales people for boxes like this right now are really hurting for
business but give us a break.

A break is exactly what everyone is getting right now; but not what you mean. Look at
telecom stocks and valuations going down... You've gotta sell more than just best-effort data;
I wish more of the operators got a bit more adventurous and started to look at additional things to
do in the network (not all boxes are evil). We have best-effort data; lots of it; it's not enough anymore.
Quality is the name of the game (I think). I would start with improving network security and availability
and see if Enterprises want to buy extra services (I think so).

Livio.