Alex P. Rudnev writes...
What are you talking about? If they have NETFLOW switching and NETFLOW
accounting, it's easy to search for the router originated for the
SMURF/initialised packets (this packets can be searched by the such list,
or by the simular search pattern):
xxx permit ip any 0.0.0.255 255.255.255.0 log
And then it takes 5 minutes to look for the originating interface.
Yeah. And that leads to another router, then another, then another.
How about automating the process. That's what it looks like DoStracker
does.
As was pointed out to me, if I have just one or two routers or one or
two links into the Internet, then I can easily find where the attack is
coming from. But if I have a large complex network ...
As was pointed out to me, if I have just one or two routers or one or
two links into the Internet, then I can easily find where the attack is
coming from. But if I have a large complex network ...
No doubt. Anyway it's the step forward. Another step should CISCO do,
yes?
--
Phil Howard | crash547@no41ads6.com no63ads9@spammer7.edu stop1ads@no9place.edu
phil | end3ads6@no79ads0.com no6spam8@dumbads1.org stop6it2@dumbads7.edu
at | no43ads7@noplace1.net no44ads3@no40ads8.net suck8it0@s0p5a7m7.com
milepost | stop7ads@dumbads7.edu w0x2y8z4@dumb5ads.edu no7way22@anywhere.net
dot | no6spam4@no6where.com eat2this@lame2ads.edu ads8suck@dumb2ads.net
com | no2spam2@s2p0a9m8.com suck0it2@no14ads4.net blow9me7@noplace5.com
Aleksei Roudnev, Network Operations Center, Relcom, Moscow
(+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager)
(+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)