DoS attack and IP Accounting OverHead.

Discussion in 'Cisco' started by Gary, Feb 28, 2004.

  1. Gary

    Gary Guest

    We are considering running IP Accounting on the handoff to our internal
    network to help identify target sof DoS attacks.

    1. Is it that simple to spot the target
    2. What are the overheads of using this feature in terms of CPU as the
    router would already be stressed because of the DoS.

    Thanks
    Gary
     
    Gary, Feb 28, 2004
    #1
    1. Advertising

  2. In article <0fT%b.13968$TT5.12213@lakeread06>,
    Gary <> wrote:
    :We are considering running IP Accounting on the handoff to our internal
    :network to help identify target sof DoS attacks.

    :1. Is it that simple to spot the target
    :2. What are the overheads of using this feature in terms of CPU as the
    :router would already be stressed because of the DoS.

    What I gather from the discussions of others is that netflow is
    more efficient than IP accounting.

    How would you get to the IP Accounting data? Were you thinking of
    SNMP'ing for it? SNMP can add significantly to the processor load.

    What kinds of DoS attacks were you expecting to be able to discover?
    It has been awhile since I looked at IP Accounting output, but my
    recollection is that IP Accounting is not useful for SYN attacks;
    nor do I recall it as being effective in noting attempts to reach
    unreachable ports. My recollection is that the data gives you
    source and destination IPs, a byte count, and a number of connections.
    Failed connections don't contribute anything to the byte count.
    IP Accounting also isn't going to be very useful in monitoring
    half-open connections that are clogging the tables.

    IP Accounting might help you find abnormally large transfers (if
    the remote ends are able to send unlimited file sizes to you.) But
    a good DoS would mix transfer sizes.

    Your PIX's Floodguard and connection limits (the numbers at the
    end of the 'static' command) are probably better DoS preventers
    than looking at IP Accounting.

    If DoS attacks are expected, then you should probably invest in
    an IDS of some sort. IDS are outside my experience, so I have no
    recommendations at this time.
    --
    This signature intentionally left... Oh, darn!
     
    Walter Roberson, Feb 28, 2004
    #2
    1. Advertising

  3. Gary

    Gary Guest

    "Walter Roberson" <-cnrc.gc.ca> wrote in message
    news:c1ovre$qvk$...
    > In article <0fT%b.13968$TT5.12213@lakeread06>,
    > Gary <> wrote:
    > :We are considering running IP Accounting on the handoff to our internal
    > :network to help identify target sof DoS attacks.
    >
    > :1. Is it that simple to spot the target
    > :2. What are the overheads of using this feature in terms of CPU as the
    > :router would already be stressed because of the DoS.
    >
    > What I gather from the discussions of others is that netflow is
    > more efficient than IP accounting.
    >
    > How would you get to the IP Accounting data? Were you thinking of
    > SNMP'ing for it? SNMP can add significantly to the processor load.
    >
    > What kinds of DoS attacks were you expecting to be able to discover?
    > It has been awhile since I looked at IP Accounting output, but my
    > recollection is that IP Accounting is not useful for SYN attacks;
    > nor do I recall it as being effective in noting attempts to reach
    > unreachable ports. My recollection is that the data gives you
    > source and destination IPs, a byte count, and a number of connections.
    > Failed connections don't contribute anything to the byte count.
    > IP Accounting also isn't going to be very useful in monitoring
    > half-open connections that are clogging the tables.
    >
    > IP Accounting might help you find abnormally large transfers (if
    > the remote ends are able to send unlimited file sizes to you.) But
    > a good DoS would mix transfer sizes.
    >
    > Your PIX's Floodguard and connection limits (the numbers at the
    > end of the 'static' command) are probably better DoS preventers
    > than looking at IP Accounting.
    >
    > If DoS attacks are expected, then you should probably invest in
    > an IDS of some sort. IDS are outside my experience, so I have no
    > recommendations at this time.
    > --
    > This signature intentionally left... Oh, darn!


    Ths was a simple DoS attacking one unprotected machine, but we could not
    track it as the router was stresssed.

    I think IP Accounting would have shown us what we needed but may have killed
    the router and it is that question I need to know about.

    Gary
     
    Gary, Feb 28, 2004
    #3
  4. Gary

    Jeff C Guest

    "Gary" <> wrote in
    news:YRT%b.13970$TT5.8808@lakeread06:

    >
    > "Walter Roberson" <-cnrc.gc.ca> wrote in message
    > news:c1ovre$qvk$...
    >> In article <0fT%b.13968$TT5.12213@lakeread06>,
    >> Gary <> wrote:
    >> :We are considering running IP Accounting on the handoff to our
    >> :internal network to help identify target sof DoS attacks.
    >>
    >> :1. Is it that simple to spot the target
    >> :2. What are the overheads of using this feature in terms of CPU
    >> :as the router would already be stressed because of the DoS.
    >>
    >> What I gather from the discussions of others is that netflow is
    >> more efficient than IP accounting.
    >>
    >> How would you get to the IP Accounting data? Were you thinking of
    >> SNMP'ing for it? SNMP can add significantly to the processor load.
    >>

    >
    > Ths was a simple DoS attacking one unprotected machine, but we could
    > not track it as the router was stresssed.
    >
    > I think IP Accounting would have shown us what we needed but may have
    > killed the router and it is that question I need to know about.
    >
    > Gary
    >


    Yes you can push a router to unresponsiveness with ip accounting. I don't
    have any particulars about how much of a CPU hit it takes to run, sorry.
    If you know the server that the DoS attack was centered on you may try
    limiting source IPs and destination ports that are able to connect to it.

    -Jeff C
     
    Jeff C, Feb 28, 2004
    #4
  5. Gary

    Gary Guest

    "Jeff C" <> wrote in message
    news:c7V%b.5916$Zp.4359@fed1read07...
    > "Gary" <> wrote in
    > news:YRT%b.13970$TT5.8808@lakeread06:
    >
    > >
    > > "Walter Roberson" <-cnrc.gc.ca> wrote in message
    > > news:c1ovre$qvk$...
    > >> In article <0fT%b.13968$TT5.12213@lakeread06>,
    > >> Gary <> wrote:
    > >> :We are considering running IP Accounting on the handoff to our
    > >> :internal network to help identify target sof DoS attacks.
    > >>
    > >> :1. Is it that simple to spot the target
    > >> :2. What are the overheads of using this feature in terms of CPU
    > >> :as the router would already be stressed because of the DoS.
    > >>
    > >> What I gather from the discussions of others is that netflow is
    > >> more efficient than IP accounting.
    > >>
    > >> How would you get to the IP Accounting data? Were you thinking of
    > >> SNMP'ing for it? SNMP can add significantly to the processor load.
    > >>

    > >
    > > Ths was a simple DoS attacking one unprotected machine, but we could
    > > not track it as the router was stresssed.
    > >
    > > I think IP Accounting would have shown us what we needed but may have
    > > killed the router and it is that question I need to know about.
    > >
    > > Gary
    > >

    >
    > Yes you can push a router to unresponsiveness with ip accounting. I don't
    > have any particulars about how much of a CPU hit it takes to run, sorry.
    > If you know the server that the DoS attack was centered on you may try
    > limiting source IPs and destination ports that are able to connect to it.
    >
    > -Jeff C


    What about netflow - Would capturing this type of data for analysis help
    with DDoS's without helping to kill the router ?

    Gary
     
    Gary, Feb 28, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Douw Gerber
    Replies:
    1
    Views:
    882
  2. Radley

    Lowering Processing Overhead

    Radley, Jan 24, 2004, in forum: Cisco
    Replies:
    0
    Views:
    471
    Radley
    Jan 24, 2004
  3. S. Widmann

    cisco vpn client overhead

    S. Widmann, Jul 30, 2004, in forum: Cisco
    Replies:
    0
    Views:
    670
    S. Widmann
    Jul 30, 2004
  4. *

    Re: Overhead used as a projector?

    *, Apr 7, 2005, in forum: Computer Support
    Replies:
    0
    Views:
    425
  5. dorothy.bradbury
    Replies:
    15
    Views:
    1,054
    dorothy.bradbury
    Jul 21, 2003
Loading...

Share This Page