Cisco Tips & Tricks

May 3, 2006

Troubleshooting DoS attacks

Filed under: Uncategorized — ciscotips @ 5:54 pm

Multiple large-sized packets injected into your network from any source, including a host PC, can bring your network to a dead crawl. In the worst case, theycan even shut down operations. To determine which host or node is sending or receiving suspisciously large and multiple “packets” (no pun intended), enable ip accounting output-packets in the interface that you suspect they pass through. Then use the command sh ip accounting output-packets to viewthe output in real time. Even packet and byte sizes are displayed, which can help you identify what kind oftraffic is present in your link. For example:

Router(config)# interface FastEthernet 0/1

Router(config-if)# ip accounting output-packets

Router# sh ip accounting output-packets

But The preferred, more scalable, method is to use NetFlow on ingress interfaces to try to find the type of traffic Because NetFlow keeps statistics on flows, you can more easily isolate the protocols involved. To enable NetFlow on interfaces, use the interface configuration command ip route-cache flow. Support for NetFlow can vary depending on your platform and code version.

For older platforms that do not support NetFlow, IPaccounting can be useful.


1 Comment »

  1. beautiful

    Comment by lancelot — January 25, 2007 @ 6:27 am

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at

%d bloggers like this: