How to find Source IP of DOS attack source

Hello Experts,

How we can find IP address of DOS Attack source ?

I know DOS attack prevention mechanisms like CAR, CoPP, IP Source Tracker, URPF, Blocking RFC1918 address using ACL, RTBHF, IP options drop (in high end platforms), TCP intercept.

Consider DOS attack is going on here and I know the ip address of target host.

But what I am trying to do is to find source ip of DOS attack and complile acl to block it manually. Kindly let me know how I can figure out those IPs on cisco router.

 

Thanks!

Comments

  • Hi Deepak,

     

    I can't think of a tailor-made command that would work in your case but I believe the following set of actions would ensure that you achieve the same:

    1. As an example, assume that 10.1.1.1 is the server that is being attacked

    2. Make the following access-list:

                      permit ip any host 10.1.1.1 log

                      permit ip any any

    3. Apply this access-list inbound on the ingress interface or outbound on the egress interface

    4. Now it would log entries for the traffic that matches our access-list rule, thus showing us both the source and destination of the DoS attach packets

     

    For more information on access-list logs, refer to the following link:

    http://www.cisco.com/web/about/security/intelligence/acl-logging.html

     

    Thanks.

  • I would use Netflow to find out source/sources and after use ACL without log (to improve performance) and drop those sources. It all depends on what king of DoS attack you are facing, cause if it is a legitim one (at application level) you're mostly blind with a router, you need something to inspect at application level, such as a balancer and configure inpsection/drop rules in there.

    Good luck!

  • I would use netflow, IP source tracker and IP accounting.

     

    With regards

    Kings

  • how to find ddos attack

  • how to find ddos attack

     

    I guess all of the above methods would also help in finding a DDoS attack.

     

    Thank you!

Sign In or Register to comment.