From: Mohamed Nizam (torontocisco@yahoo.ca)
Date: Mon Feb 24 2003 - 18:03:05 GMT-3
Unless you log it to a syslog server or buffer, you will not able to get the
source address.
Mohamed Nizam
A Proud student of WinNET Harith.
----- Original Message -----
From: "Chuck Church" <ccie8776@rochester.rr.com>
To: "Tony Kwok" <sykwok8@yahoo.com>; <ccielab@groupstudy.com>
Sent: Monday, February 24, 2003 2:14 PM
Subject: Re: Question about the ICMP attack
> Create (or add to) an ACL on the outside interface. At the top, list the
> most common types of ICMP as permit statements, then all ICMP, and then
your
> other lines or a generic permit all at the end. Once you see what kind of
> ICMP is getting the most hits (via 'sh access-list), change the ACL for
that
> type so that it logs it. You should be able to find out the source pretty
> quickly.
>
> Chuck Church
> CCIE #8776, MCNE, MCSE
>
>
> ----- Original Message -----
> From: "Tony Kwok" <sykwok8@yahoo.com>
> To: <ccielab@groupstudy.com>
> Sent: Monday, February 24, 2003 10:14 AM
> Subject: Question about the ICMP attack
>
>
> > Dear all,
> >
> > I have the following case. Pls suggest the solution.
> >
> > Supposing that one of my network interface is
> > attacking by ICMP and I would like to pick those guys
> > out by knowing their address. In addition, is there
> > any method to identity which one is the most frequency
> > attack to this interface?
> >
> > In my idea, I think the Netflow will be suitable
> > solution. But I find netflow cannot show up the path
> > for the ICMP and also it need to export the data out
> > to other server. Pls correct me if I have any
> > overlook. Thx.
> >
> > Regards,
> > Tony
> >
> > __________________________________________________
> > Do you Yahoo!?
> > Yahoo! Tax Center - forms, calculators, tips, more
> > http://taxes.yahoo.com/
This archive was generated by hypermail 2.1.4 : Sat Mar 01 2003 - 11:06:34 GMT-3