Security Incidents: Re: DoS attack... what to do?

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Re: DoS attack... what to do?

From: Jose Nazario <jose () monkey org>
Date: Tue, 4 Jan 2005 19:19:06 -0500 (EST)

On Tue, 4 Jan 2005, Bernie Cosell wrote:

How do you do this?  If the packets coming in have forged source-IP
addresses, how do you trace them backwards?


backtrace via the input and output intreface IDs from the devices the
traffic traverses. if you have well formed characteristic (ie SYN packets
destined to a particular dest and dport) you can trace it that way. follow
it back as far as you can go and, if it crosses operational boundaries,
get some cooperation (in the case of very large events).

cisco does this, arbor does this, etc ...

________
jose nazario, ph.d.                     jose () monkey org
http://monkey.org/~jose/                http://infosecdaily.net/

By Date By Thread

Current thread:

DoS attack... what to do? Nigel Kukard (Jan 04)
- Re: DoS attack... what to do? falcon (Jan 04)
- Re: DoS attack... what to do? Faisal Khan (Jan 04)
- Re: DoS attack... what to do? Mark C (Jan 04)
  - Re: DoS attack... what to do? Bernie Cosell (Jan 04)
    - Re: DoS attack... what to do? Jose Nazario (Jan 05)
- <Possible follow-ups>
- RE: DoS attack... what to do? Shaffer, Bruce (Jan 04)
  - Re: DoS attack... what to do? Steve Friedl (Jan 04)
    - RE: DoS attack... what to do? Craig Skelton (Jan 05)
    - Re: DoS attack... what to do? Alvin Oga (Jan 05)
    - Re: DoS attack... what to do? Valdis . Kletnieks (Jan 07)