DoS attack and IP Accounting OverHead.

Discussion in 'Cisco' started by Gary, Feb 28, 2004.

  1. Gary

    Gary Guest

    We are considering running IP Accounting on the handoff to our internal
    network to help identify target sof DoS attacks.

    1. Is it that simple to spot the target
    2. What are the overheads of using this feature in terms of CPU as the
    router would already be stressed because of the DoS.

    Thanks
    Gary
     
    Gary, Feb 28, 2004
    #1
    1. Advertisements

  2. :We are considering running IP Accounting on the handoff to our internal
    :network to help identify target sof DoS attacks.

    :1. Is it that simple to spot the target
    :2. What are the overheads of using this feature in terms of CPU as the
    :router would already be stressed because of the DoS.

    What I gather from the discussions of others is that netflow is
    more efficient than IP accounting.

    How would you get to the IP Accounting data? Were you thinking of
    SNMP'ing for it? SNMP can add significantly to the processor load.

    What kinds of DoS attacks were you expecting to be able to discover?
    It has been awhile since I looked at IP Accounting output, but my
    recollection is that IP Accounting is not useful for SYN attacks;
    nor do I recall it as being effective in noting attempts to reach
    unreachable ports. My recollection is that the data gives you
    source and destination IPs, a byte count, and a number of connections.
    Failed connections don't contribute anything to the byte count.
    IP Accounting also isn't going to be very useful in monitoring
    half-open connections that are clogging the tables.

    IP Accounting might help you find abnormally large transfers (if
    the remote ends are able to send unlimited file sizes to you.) But
    a good DoS would mix transfer sizes.

    Your PIX's Floodguard and connection limits (the numbers at the
    end of the 'static' command) are probably better DoS preventers
    than looking at IP Accounting.

    If DoS attacks are expected, then you should probably invest in
    an IDS of some sort. IDS are outside my experience, so I have no
    recommendations at this time.
     
    Walter Roberson, Feb 28, 2004
    #2
    1. Advertisements

  3. Gary

    Gary Guest

    Ths was a simple DoS attacking one unprotected machine, but we could not
    track it as the router was stresssed.

    I think IP Accounting would have shown us what we needed but may have killed
    the router and it is that question I need to know about.

    Gary
     
    Gary, Feb 28, 2004
    #3
  4. Gary

    Jeff C Guest

    Yes you can push a router to unresponsiveness with ip accounting. I don't
    have any particulars about how much of a CPU hit it takes to run, sorry.
    If you know the server that the DoS attack was centered on you may try
    limiting source IPs and destination ports that are able to connect to it.

    -Jeff C
     
    Jeff C, Feb 28, 2004
    #4
  5. Gary

    Gary Guest

    What about netflow - Would capturing this type of data for analysis help
    with DDoS's without helping to kill the router ?

    Gary
     
    Gary, Feb 28, 2004
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.