RE: DDoS attack.

From: Boyan Krosnov (bkrosnovat_private)
Date: Fri Jan 25 2002 - 13:15:01 PST

Next message: dlaumannat_private: "RE: Strings of 'EEEE' in pings..."

Previous message: John Campbell: "Re: port 22224?? What the heck"
Maybe in reply to: Daniel F. Chief Security Engineer -: "DDoS attack."
Next in thread: Bugtraq Mailing Lists: "Re: DDoS attack."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> -----Original Message-----
> From: Glenn Forbes Fleming Larratt [mailto:glrattat_private]
> Sent: Friday, January 25, 2002 9:05 PM
> To: Daniel F. Chief Security Engineer -
> Cc: incidentsat_private
> Subject: Re: DDoS attack. 
> 
> 
> A "tcpdump -ner" will show you the MAC address or addresses 
> your tcpdump
> host sees for this traffic. That address or addresses will 
> either belong
> to the source host, or a core router through which it came.
> 
> If it's a router, you'll need to trace back to which network on the
> other side of it, and iterate as necessary. A portable tcpdump host
> would come in handy to do so.
Other handy tools are the switched port analiser (SPAN) feature(cisco)
or port/vlan mirroring (other vendors) of managable switches. If these
are not avalable $20 ethernet hubs help a lot :)
Also any graphical statistics like mrtg on routers or managable switches
ports do help in tracing a DoS of more than 1500 packets/second.
About the tcpdump, if the attack comes and goes it helps to write the
first say 100 bytes of each packet to a file, so that you can review
what has traversed the path you are monitoring later. like tcpdump -w
<filename> -s 100 <expr>. And it is not a big problem with today's cheap
hard disks.

> If it's a Cisco router, you might look into deploying the 
> per-interface
> command "ip verify unicast reverse-path" (I think - I may 
> have misremembered
> the syntax), which automatically prevents spoofing beyond the scope of
> the LAN segment. Check this command out at www.cisco.com .
the sintax is correct,
the command requires cef to be running on the interface on which you
enable it, which may not be possible with some old routers and software.
It limits the scope of spoofing to some degree, but I've seen bad people
come around it by changing the source address only inside the range of
the permitted hosts.

Regards,
Boyan

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: dlaumannat_private: "RE: Strings of 'EEEE' in pings..."
Previous message: John Campbell: "Re: port 22224?? What the heck"
Maybe in reply to: Daniel F. Chief Security Engineer -: "DDoS attack."
Next in thread: Bugtraq Mailing Lists: "Re: DDoS attack."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jan 25 2002 - 14:04:34 PST