Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > DoS attack and IP Accounting OverHead.

Reply
Thread Tools

DoS attack and IP Accounting OverHead.

 
 
Gary
Guest
Posts: n/a
 
      02-28-2004
We are considering running IP Accounting on the handoff to our internal
network to help identify target sof DoS attacks.

1. Is it that simple to spot the target
2. What are the overheads of using this feature in terms of CPU as the
router would already be stressed because of the DoS.

Thanks
Gary


 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      02-28-2004
In article <0fT%b.13968$TT5.12213@lakeread06>,
Gary <(E-Mail Removed)> wrote:
:We are considering running IP Accounting on the handoff to our internal
:network to help identify target sof DoS attacks.

:1. Is it that simple to spot the target
:2. What are the overheads of using this feature in terms of CPU as the
:router would already be stressed because of the DoS.

What I gather from the discussions of others is that netflow is
more efficient than IP accounting.

How would you get to the IP Accounting data? Were you thinking of
SNMP'ing for it? SNMP can add significantly to the processor load.

What kinds of DoS attacks were you expecting to be able to discover?
It has been awhile since I looked at IP Accounting output, but my
recollection is that IP Accounting is not useful for SYN attacks;
nor do I recall it as being effective in noting attempts to reach
unreachable ports. My recollection is that the data gives you
source and destination IPs, a byte count, and a number of connections.
Failed connections don't contribute anything to the byte count.
IP Accounting also isn't going to be very useful in monitoring
half-open connections that are clogging the tables.

IP Accounting might help you find abnormally large transfers (if
the remote ends are able to send unlimited file sizes to you.) But
a good DoS would mix transfer sizes.

Your PIX's Floodguard and connection limits (the numbers at the
end of the 'static' command) are probably better DoS preventers
than looking at IP Accounting.

If DoS attacks are expected, then you should probably invest in
an IDS of some sort. IDS are outside my experience, so I have no
recommendations at this time.
--
This signature intentionally left... Oh, darn!
 
Reply With Quote
 
 
 
 
Gary
Guest
Posts: n/a
 
      02-28-2004

"Walter Roberson" <(E-Mail Removed)-cnrc.gc.ca> wrote in message
news:c1ovre$qvk$(E-Mail Removed)...
> In article <0fT%b.13968$TT5.12213@lakeread06>,
> Gary <(E-Mail Removed)> wrote:
> :We are considering running IP Accounting on the handoff to our internal
> :network to help identify target sof DoS attacks.
>
> :1. Is it that simple to spot the target
> :2. What are the overheads of using this feature in terms of CPU as the
> :router would already be stressed because of the DoS.
>
> What I gather from the discussions of others is that netflow is
> more efficient than IP accounting.
>
> How would you get to the IP Accounting data? Were you thinking of
> SNMP'ing for it? SNMP can add significantly to the processor load.
>
> What kinds of DoS attacks were you expecting to be able to discover?
> It has been awhile since I looked at IP Accounting output, but my
> recollection is that IP Accounting is not useful for SYN attacks;
> nor do I recall it as being effective in noting attempts to reach
> unreachable ports. My recollection is that the data gives you
> source and destination IPs, a byte count, and a number of connections.
> Failed connections don't contribute anything to the byte count.
> IP Accounting also isn't going to be very useful in monitoring
> half-open connections that are clogging the tables.
>
> IP Accounting might help you find abnormally large transfers (if
> the remote ends are able to send unlimited file sizes to you.) But
> a good DoS would mix transfer sizes.
>
> Your PIX's Floodguard and connection limits (the numbers at the
> end of the 'static' command) are probably better DoS preventers
> than looking at IP Accounting.
>
> If DoS attacks are expected, then you should probably invest in
> an IDS of some sort. IDS are outside my experience, so I have no
> recommendations at this time.
> --
> This signature intentionally left... Oh, darn!


Ths was a simple DoS attacking one unprotected machine, but we could not
track it as the router was stresssed.

I think IP Accounting would have shown us what we needed but may have killed
the router and it is that question I need to know about.

Gary


 
Reply With Quote
 
Jeff C
Guest
Posts: n/a
 
      02-28-2004
"Gary" <(E-Mail Removed)> wrote in
news:YRT%b.13970$TT5.8808@lakeread06:

>
> "Walter Roberson" <(E-Mail Removed)-cnrc.gc.ca> wrote in message
> news:c1ovre$qvk$(E-Mail Removed)...
>> In article <0fT%b.13968$TT5.12213@lakeread06>,
>> Gary <(E-Mail Removed)> wrote:
>> :We are considering running IP Accounting on the handoff to our
>> :internal network to help identify target sof DoS attacks.
>>
>> :1. Is it that simple to spot the target
>> :2. What are the overheads of using this feature in terms of CPU
>> :as the router would already be stressed because of the DoS.
>>
>> What I gather from the discussions of others is that netflow is
>> more efficient than IP accounting.
>>
>> How would you get to the IP Accounting data? Were you thinking of
>> SNMP'ing for it? SNMP can add significantly to the processor load.
>>

>
> Ths was a simple DoS attacking one unprotected machine, but we could
> not track it as the router was stresssed.
>
> I think IP Accounting would have shown us what we needed but may have
> killed the router and it is that question I need to know about.
>
> Gary
>


Yes you can push a router to unresponsiveness with ip accounting. I don't
have any particulars about how much of a CPU hit it takes to run, sorry.
If you know the server that the DoS attack was centered on you may try
limiting source IPs and destination ports that are able to connect to it.

-Jeff C
 
Reply With Quote
 
Gary
Guest
Posts: n/a
 
      02-28-2004

"Jeff C" <(E-Mail Removed)> wrote in message
news:c7V%b.5916$Zp.4359@fed1read07...
> "Gary" <(E-Mail Removed)> wrote in
> news:YRT%b.13970$TT5.8808@lakeread06:
>
> >
> > "Walter Roberson" <(E-Mail Removed)-cnrc.gc.ca> wrote in message
> > news:c1ovre$qvk$(E-Mail Removed)...
> >> In article <0fT%b.13968$TT5.12213@lakeread06>,
> >> Gary <(E-Mail Removed)> wrote:
> >> :We are considering running IP Accounting on the handoff to our
> >> :internal network to help identify target sof DoS attacks.
> >>
> >> :1. Is it that simple to spot the target
> >> :2. What are the overheads of using this feature in terms of CPU
> >> :as the router would already be stressed because of the DoS.
> >>
> >> What I gather from the discussions of others is that netflow is
> >> more efficient than IP accounting.
> >>
> >> How would you get to the IP Accounting data? Were you thinking of
> >> SNMP'ing for it? SNMP can add significantly to the processor load.
> >>

> >
> > Ths was a simple DoS attacking one unprotected machine, but we could
> > not track it as the router was stresssed.
> >
> > I think IP Accounting would have shown us what we needed but may have
> > killed the router and it is that question I need to know about.
> >
> > Gary
> >

>
> Yes you can push a router to unresponsiveness with ip accounting. I don't
> have any particulars about how much of a CPU hit it takes to run, sorry.
> If you know the server that the DoS attack was centered on you may try
> limiting source IPs and destination ports that are able to connect to it.
>
> -Jeff C


What about netflow - Would capturing this type of data for analysis help
with DDoS's without helping to kill the router ?

Gary


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
DOS attack and threats Don Wiss Digital Photography 18 12-16-2005 01:17 AM
protecting ports from DoS attack on cisco 2950 Switch hari Cisco 0 12-01-2004 12:50 PM
DOS Attack SingSong Cisco 3 12-13-2003 01:47 AM
cisco commands for checking for DOS attack Tim J. Dunn Cisco 2 11-05-2003 03:15 AM
Any one do a mini-few-sec digital handheld videocam for re-attack after violent road rage attack? dorothy.bradbury Digital Photography 15 07-20-2003 11:58 PM



Advertisments