(assuming access-lists are configured, a simple permit any any works for this even, but specific networks or higher layer traffic you want to match works better) show access-lists (look at the number of matches increasing) show interface (look at load x/255, 30 second input rate x bits/sec, x packets/sec) show interface stats show interface switching show interface accounting (assuming you have netflow configured) show ip cache flow You could use about a billion other things to detect DoS attacks (even with Cisco routers). You might be able to get some of the information above via SNMP. You could graph it with mrtg/rrdtool/cricket/flowscan (caida) or even commercial tools like CiscoWorks IPM, HPOV NNM, Concord eHealth, and about a billion other tools. It is generally recommended that you capture all traffic with a sniffer, if at all possible. There are a few free tools and commercial products in this category, as well, popular ones include tcpdump, snoop, ethereal, and SnifferPro. I think that NetFlow is a good way to detect DoS attacks, especially if you graph it. Because NetFlow (or sFlow, or NeTraMet, etc and also probably RMON and IP accounting) gets a lot of the packet sizes, protocol distributions, prefix and interface traffic statistics for src/dst pairs (aka flow), etc etc... it is really obvious right away what type of attack you are getting, etc. However, sometimes it's not perfect, so having a complete dump of the traffic on your network via a sniffer is really ideal. Working with sniffer data and graphing it in real time is more complex than using NetFlow or similar technology, but that's really up to you to decide what you want to do. Matches on access-lists seems to be a very popular way of dealing with detecting if a DoS attack occurred (but this is generally after the fact). Having a good combination of all of the above wouldn't hurt either. It really depends on the problem you are trying to solve and the resources you know / have available / etc. Are you trying to detect DoS attacks real- time? Are you trying to track down who is sending the packets to you? Are you trying to identify the attacks so you can come up with ways to prevent them? Most important would be a written policy and procedure for dealing with DoS attacks coming into and outside of your network. Then, spec out the technology to fit your requirements. Good luck. -dre ""suaveguru"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > hi all > > anyone knows if there are any tools to detect DOS > attack on network other than turning on ip accounting > at the routers because ip accounting utilises very > much CPU resources on the router > > any inputs will be greatly appreciated > > regards > > suaveguru > > __________________________________________________ > Do You Yahoo!? > Make international calls for as low as $.04/minute with Yahoo! Messenger > http://phonecard.yahoo.com/ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=16211&t=16211 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
