Tracking the source of DOS attack with Cisco IOS

Problem: Enterprise is under Denial Of Service Attack that brings down key elements of the business or the whole network at all.
To track the attacker is the first step in handling the attack and unless the flood is coming from inside (most probably not in a well managed LAN) you will need help of your Service Provider to find out the origin. Unfortunately Service Provider’s (SP) backbone is not well suited for such forensics, as its business role is
to provide uninterrupted connectivity to ALL the clients , not only you, so SP will not enable ACLs/ip accounting/Netflow on their backbone to identify where the attack is coming from . And if source Ip of the attack is spoofed you can’t do much .

For such cases Cisco came with the nice feature called
ip source tracking that will gather flow statistics for specific destination
IPs (of victim) and periodically will export them for viewing, and will do all this without overloading the backbone router it is enabled on (Of course relevant if your SP is using Cisco gear) . Here are details:

– Enable it globally for the victim IP , here IP being attacked is 63.45.33.22

Edge(config)#ip source-track 63.45.33.22

- If you want (and if this is being done by SP they will not) you may create log entries:
Edge1(config)#ip source-track syslog-interval 2
Then you will see in logs (good for reminding to disable this afterwards) :
May 28 10:55:47.105: %DOS_TRACK-5-CFG: IP Source Tracker configured for 1 hosts

- Also you may define how often to export gathered info to be viewed (seems to depend on the platform ) :

Edge(config)#ip source-track export-interval 60

- And finally , you see the data accumulated so far :

Edge#sh ip source-track
Address SrcIF Bytes Pkts Bytes/s Pkts/s
63.45.33.22 Fa0/0 141G 485M 8244 141

Most important here will be the Source interface (in this router there is only 1 ingress interface , in real backbone you will have few feeds) where you see most of the incoming traffic for this destination IP. Then you (SP) would go to the upstream router connected to this local interface, enable the same source tracking and so on. Up to the last point in the backbone where the attacking traffic enters
the backbone of SP out of some upstream SP . Then SP would have option to contact the abuse of this upstream provider for them to investigate the issue further, or at least divert the attack to the black hole at the entry point, so end client would not be affected at all.

New Memory Capacity on Cisco 2600XM Series Multiservice Router

Two new features are being introduced on all Cisco® 2600XM Series multiservice routers. The first is a new 128-MB synchronous dynamic RAM (SDRAM) dual in-line memory module (DIMM) for use in all new and existing Cisco 2600XM Series multiservice routers. This new 128-MB DIMM offers higher-density memory, providing the ability to support memory increases to 256 MB of DRAM (with the correct ROM monitor [ROMmon]). All Cisco 2650XM Multiservice Router, Cisco 2651XM Multiservice Router, and Cisco 2600XM bundles and upgrades to 128 MB of DRAM are now shipping with one 128-MB SDRAM DIMM instead of two 64-MB SDRAM DIMMs. This allows for the second slot to remain open for future memory expansion up to 256 MB.

The second announcement is a new internal ROMmon on all Cisco 2600XM Series multiservice routers. This new ROMmon simply provides the "future ability" to upgrade the Cisco 2600XM Series to 256-MB DRAM. Currently the maximum memory used by Cisco IOS® Software is 128 MB. Some future Cisco IOS Software releases will use more than 128 MB of memory and will require this new ROMmon support to provide access to memory between 128 MB and 256 MB. Cisco IOS Software usage of more than 128 MB of SDRAM (in specific software images) is scheduled for October 2004 or sooner.

Changes are being made to address the following:

• Support for up to 256 MB of DRAM for future memory increases past Cisco IOS Software Release 12.3 Mainline

• Memory scalability for greater feature and service enhancements in Cisco IOS Software releases 12.4T and 12.5M

• Ability for customers to maximize memory capacity for future growth, without adding future service costs for adding memory at a later date.

• Commitment to Cisco 2600XM Series longevity