> The Sniffer and other tools like it are meant to drink from a fire hose.
> So, is it far fetched to analyze a dozen or more OC-12's other than from a
> router?? No. In fact carriers should embrace a different approach to
> further understand and analyze their backbone. Analyzers' with filters
You want to put a box like this to analyze and dozen OC-12c(s)? I know that
the sales people for boxes like this right now are really hurting for
business but give us a break.
A break is exactly what everyone is getting right now; but not what you
mean. Look at
telecom stocks and valuations g
>
> Even though you are asking this question with regard to what can
> be done on the router itself, it's worth mentioning, if only for
> the archives, a non-router approach to the problem...especially if
> you are an enterprise network manager. It's even worth
> mentioning despite the fact that
I can send you screenshots of our tool if you are interested.
-Original Message-
From: Andre Chapuis [mailto:[EMAIL PROTECTED]]
Sent: Monday, December 16, 2002 9:12 AM
To: [EMAIL PROTECTED]
Subject: Identifying DoS-attacked IP address(es)
Hi,
How do you identify a DoS-attacked IP
On Mon, 16 Dec 2002, Feger, James wrote:
>
> AT&T also does the basics. ACL's, null routes, tracking back to ingress.
as does sprint and C&W. MFN can sometimes help, depends on who you talk to
as I recall, and Verio is quick to fix problems... L3 had some problems in
the past, my last experien
't the only protocol analysis tool. Shop around if
a non-router approach interests you.
-Original Message-
From: Andre Chapuis [mailto:[EMAIL PROTECTED]]
Sent: Monday, December 16, 2002 9:12 AM
To: [EMAIL PROTECTED]
Subject: Identifying DoS-attacked IP address(es)
Hi,
How do
AT&T also does the basics. ACL's, null routes, tracking back to ingress.
-james
On Mon, 16 Dec 2002, James-lists wrote:
>
> > I'm sure you can look in the archives of this list for
> messages from me
> > about this very thing... :) In short: "Every ISP should
> have 24/7 security
> > support
At 09:17 PM 12/16/2002 +, Christopher L. Morrow wrote:
On Mon, 16 Dec 2002, Livio Ricciulli wrote:
> FYI, we developed a system that sniffs FE,GE,DS3,OC3-48 POS and creates
> a model using the cross-product of:
> 1) source/destination address distributions
> 2) packet rate
> 3) protocol
Bu
> I'm sure you can look in the archives of this list for
messages from me
> about this very thing... :) In short: "Every ISP should
have 24/7 security
> support for customers under attack." That support should
include, acls,
> null routes, tracking the attack to the ingress. Rarely do
rate-limits
On Mon, 16 Dec 2002 21:17:07 GMT, "Christopher L. Morrow" said:
> On Mon, 16 Dec 2002, Livio Ricciulli wrote:
>> FYI, we developed a system that sniffs FE,GE,DS3,OC3-48 POS and creates
>> a model using the cross-product of:
>> 1) source/destination address distributions
>> 2) packet rate
>> 3) prot
On Mon, 16 Dec 2002, James-lists wrote:
>
> I am wondering how much help backbone providers give in
> identifying sources of a DoS and deciding what ACL's or
> rate-limits need to be placed to bring a DoS under control,
I'm sure you can look in the archives of this list for messages from me
abo
I am wondering how much help backbone providers give in
identifying sources of a DoS and deciding what ACL's or
rate-limits need to be placed to bring a DoS under control,
for their downstream clients. (Assuming it is their
downstream clients that are being DoS'ed).
I realize this will vary from p
December 16, 2002 9:38 AM
> To: Andre Chapuis
> Cc: Christopher L. Morrow; [EMAIL PROTECTED]
> Subject: Re: Identifying DoS-attacked IP address(es)
>
>
> Sampled netflow, or look at the traceback stuff in later
> IOS 12.0S versions. Avoid filter lists as the GSR engine cards
> have a statically limited number of entries.
>
> Regards,
> Neil.
>
On Mon, 16 Dec 2002, Neil J. McRae wrote:
> > if something is being attacked it'll show in the 'statically limited'
> > listing, trust me... this is how we do it all day, every day...
>
> Yes as have we, however you run out of memory/list entries
> quickly and when that happens CEF gets disabled
-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of
Neil J. McRae
Sent: Monday, December 16, 2002 9:38 AM
To: Andre Chapuis
Cc: Christopher L. Morrow; [EMAIL PROTECTED]
Subject: Re: Identifying DoS-attacked IP address(es)
Sampled netflow, or look at the traceback stuff in later
IOS
> if something is being attacked it'll show in the 'statically limited'
> listing, trust me... this is how we do it all day, every day...
Yes as have we, however you run out of memory/list entries
quickly and when that happens CEF gets disabled and it get pretty ugly.
This is more an issue for en
On Mon, 16 Dec 2002, Neil J. McRae wrote:
> Sampled netflow, or look at the traceback stuff in later
> IOS 12.0S versions. Avoid filter lists as the GSR engine cards
> have a statically limited number of entries.
>
if something is being attacked it'll show in the 'statically limited'
listing,
Sampled netflow, or look at the traceback stuff in later
IOS 12.0S versions. Avoid filter lists as the GSR engine cards
have a statically limited number of entries.
Regards,
Neil.
On Mon, 16 Dec 2002, Andre Chapuis wrote:
> Chris,
> I often see the input-interface load is 100%.
> André
Ok, check the link Barry sent, there is some good info there... Input from
the customer is 100%? If this is the case the customer can tell you what
is being attacked, no? :)
Alternately,
Chris,
I often see the input-interface load is 100%.
André
At 16:35 16.12.2002 +, Christopher L. Morrow wrote:
>On Mon, 16 Dec 2002, Andre Chapuis wrote:
>
>>
>> Hi,
>> How do you identify a DoS-attacked IP address(es) on your ingress border router,
>assuming the latter is a Cisco 12000 ? I
On Mon, 16 Dec 2002, Andre Chapuis wrote:
>
> Hi,
> How do you identify a DoS-attacked IP address(es) on your ingress border router,
>assuming the latter is a Cisco 12000 ? I used to use ip accounting but they removed
>it from the S-code.
What info do you have when you are trying to accomplis
Check out the following:
ftp://ftp-eng.cisco.com/cons/isp/security/
> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf
Of
> Andre Chapuis
> Sent: Monday, December 16, 2002 6:12 AM
> To: [EMAIL PROTECTED]
> Subject: Identifying DoS-a
Hi,
How do you identify a DoS-attacked IP address(es) on your ingress border router,
assuming the latter is a Cisco 12000 ? I used to use ip accounting but they removed it
from the S-code.
Thanks,
André
-
Andre Chapuis
IP+ Engineering
Swisscom Ltd
Genfergasse 14
3050 Bern
+
23 matches
Mail list logo
