So.. you want to track some DoS traffic?

First off, everyone already should know that these views are mine, not

Ok, with the recent craziness on NANOG about DoS Attacks, spoofed packets,
tracking attacks and other DoS related junk I figured I'd post out a
quicky tracking method that does NOT require hop-by-hop tracking. This
method works will pretty much all spoofed attacks (synfloods/smurfs for

A brief overview of the method would be: "Track the attack from the after
effect of the attack, not the attack itself"

A link to the details, which includes cut/paste router config bits for
Cisco and Juniper routers. I'd include other router vendor cut/paste but I
only had time to figure out the two included... if someone wants to post
proper other configs (verified hopefully) I'll add them in also.


Credit: Credit should go to those listed in the link, UUNET's TAC-Eng
group, UUNET's Net-Sec group, UUNET's Customer Router Security Group, and a few others I have forgotten.

The goal of posting this info out to NANOG is to get other backbone's to
implement this so attacks can be traced in less time and with less effort
by all parties. I can succesfully track an attack across my backbone in
under 2 minutes with this method where the hop-by-hop has taken me over 8
hours in extreme circumstances (as Paul Vixie can attest since he waited
on the call while I did it).

Suggestions for improvement or deletions to these procedures would be
welcome as well.