RE: DDoS attack.

From: Boyan Krosnov (bkrosnovat_private)
Date: Fri Jan 25 2002 - 13:15:01 PST

  • Next message: dlaumannat_private: "RE: Strings of 'EEEE' in pings..."

    > -----Original Message-----
    > From: Glenn Forbes Fleming Larratt [mailto:glrattat_private]
    > Sent: Friday, January 25, 2002 9:05 PM
    > To: Daniel F. Chief Security Engineer -
    > Cc: incidentsat_private
    > Subject: Re: DDoS attack. 
    > 
    > 
    > A "tcpdump -ner" will show you the MAC address or addresses 
    > your tcpdump
    > host sees for this traffic. That address or addresses will 
    > either belong
    > to the source host, or a core router through which it came.
    > 
    > If it's a router, you'll need to trace back to which network on the
    > other side of it, and iterate as necessary. A portable tcpdump host
    > would come in handy to do so.
    Other handy tools are the switched port analiser (SPAN) feature(cisco)
    or port/vlan mirroring (other vendors) of managable switches. If these
    are not avalable $20 ethernet hubs help a lot :)
    Also any graphical statistics like mrtg on routers or managable switches
    ports do help in tracing a DoS of more than 1500 packets/second.
    About the tcpdump, if the attack comes and goes it helps to write the
    first say 100 bytes of each packet to a file, so that you can review
    what has traversed the path you are monitoring later. like tcpdump -w
    <filename> -s 100 <expr>. And it is not a big problem with today's cheap
    hard disks.
    
    > If it's a Cisco router, you might look into deploying the 
    > per-interface
    > command "ip verify unicast reverse-path" (I think - I may 
    > have misremembered
    > the syntax), which automatically prevents spoofing beyond the scope of
    > the LAN segment. Check this command out at www.cisco.com .
    the sintax is correct,
    the command requires cef to be running on the interface on which you
    enable it, which may not be possible with some old routers and software.
    It limits the scope of spoofing to some degree, but I've seen bad people
    come around it by changing the source address only inside the range of
    the permitted hosts.
    
    Regards,
    Boyan
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Fri Jan 25 2002 - 14:04:34 PST