Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

DOS Attack

Status
Not open for further replies.
tuks

tuks

Technical User
Jul 16, 2000
75
FJ
Recently we experienced slow in internet connection. Someone suggest, may be because of DOS attack and ask if I could check my internet router for this. How do I do this ? I mean what command I should use and what do I have to look for from the result of entering that command ? <br><br>Router model : Cisco 1000 series <br>IOS Version: Version 11.1(6)<br><br>Hope that someone out there will help me.<br><br><br>Regards
 
Sort by date Sort by votes
Pinning down a ping attack involves a series of tests.  First, clear the counters on the customer's router and check the input/output rate.  If you suspect a ping attack from an outside source you would expect to see high input rates on the serial link.<br><br>You can try debug ip icmp (+ term monitor if you telnet in).  This will identify the source and destination addresses of the ping packets, but you have to be careful not to overload the CPU so check the CPU utilisation first with show proc cpu.  You won't need much output to see the addresses so turn off the debug - quickest way is: u al<br><br>Use the sources address to trace the origin of the ping, but this is probably spoofed, or is a host on a reflector network as in the case of a Smurf attack in which case you will need to contact the network owner and ask them to take steps to prevent their network from being used in this way.<br><br>You could just add an access list to the serial interface preventing all pings.<br><br>HTH
 
Upvote 0 Downvote
Can you be more explicit?&nbsp;&nbsp;Which bit don't you understand?&nbsp;&nbsp;
 
Upvote 0 Downvote
Im sorry. It's this (+ term monitor if you telnet in). And also what to look for when you run the command show proc cpu that will indicate whether the CPU utilisation is OK or overload.<br><br>rgrds
 
Upvote 0 Downvote
term mon is short for terminal monitor.&nbsp;&nbsp;It ensures that the output from the debug command is displayed on your screen.&nbsp;&nbsp;Show proc cpu is short for show processes cpu and shows the amount of cpu each process is using.&nbsp;&nbsp;If the total cpu usage is higher than, let's say 50%, then you need to check it often if debug is on to make sure it doesn't increase to a point where the router might enter a &quot;hung&quot; state.&nbsp;&nbsp;Some debug commands will make the cpu usage so high that the router &quot;falls over&quot;.&nbsp;&nbsp;On the other hand the router may already be running high cpu if, for instance, it has a large routing table and not much memory, or if it is processing a lot of access lists.&nbsp;&nbsp;Debug is a powerful command and you should use it carefully on a live network.
 
Upvote 0 Downvote
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Jimmyjoe1975
  • Locked
  • Question
Cisco 1941 attack
Replies
3
Views
70
imbadatthis
imbadatthis
menace212
  • Locked
  • Question
cisco router security against Slowloris ddos attack
Replies
0
Views
46
menace212
menace212
networkerer
  • Locked
  • Question
Urgent: Router under attack 4
Replies
13
Views
85
burtsbees
burtsbees
nmessick
  • Locked
  • Question
Cisco IPS ... am I under attack?
Replies
2
Views
45
burtsbees
burtsbees
Almin
  • Locked
  • Question
Logging Attacks
Replies
5
Views
89
burtsbees
burtsbees

Part and Inventory Search

Sponsor

Back
Top