On Tue, 30 Jul 2002 [EMAIL PROTECTED] wrote:
> That's the obvious solution to the problem if the problem is how to track > down the source(s) of a DoS attack. However, in any DoS attack, there is > always a victim and one or more devices sendingattack traffic to the > victim. The owners of the attacking devices are accessories to the crime > although I'm sure they could plead ignorance and avoid any liability. But > what if they could not plead ignorance? What if we could identify some of > theattacking devices, and what if the victim sent a legal "cease and > desist" letter to the owners of the attacking devices? Now, the victim is > in a position to sue the owners of these attacking devices if they don't > fix the problem by securing their machines. And once this happens and gets > some press coverage, a whole bunch of other machine owners will wake up > and realize that they could be stuck with big legal bills if they don't > secure their machines. > > So, to restate the problem, how do we identify some of the sources of a > DoS attack quickly, maybe even while the attack is still in progress? Not a complete solution but a start: IP Source Tracker: http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s21/ipst.htm Available as of 12.0(22)S for 7500 and 12000 series Cisco routers. -Hank
