лучше было сразу читать README, так что для испытаний нужны два
последних компонента...
Requirements:
Perl5
Unix (Tested on Solaris)
Cisco Network
A Bad Guy
A Victim
...
DOSTRACK will attempt to trace source forged packets, starting at a
victim location, and tracing backwards to the possible source. This
program was primarily created to trace Denial Of Service attacks
(of the SYN and ICMP variety) but can also be used to trace other
types of attacks (where you know the IP address for example).
The full program logic is below, but I'll give a quick summary;
Written in Perl5, and used for Cisco Network Architectures, this
program is involved by issuing the following:
dostrack <starting-edge-router> -v <victim> [-s <forge-source>] [-t]
Where:
<starting-router> :- this router will be the starting point for
dostrack
login and do its work.
<victim> :- victim's ip address
<forge-source> :- forged source ip address
-t :- trace mode (optional)
The program will then log into the "starting-edge-router" and do the
following:
* Deploy an ACCESS CONTROL LIST (ACL#199) in the following
format:
access-list 199 permit ip any host <victim> log
access-list 199 deny ip any any
* Place the ACL in debug mode:
debug ip packet 199 detail
* Clear the cache for the victim subnet:
clear ip cache <VICTIM SUBNET> 255.255.255.0
Any packet that comes within the victim subnet, will be processed
switched to obtain a cache entry and will be picked up by the
debug statement.
Dostrack will analyze the output from debug and will look for
forged packets (by comparing them to the route table).
If forged packets are found, or matched forge-source given from command
line,
then dostrack will spawn a separate process to log into the next hop
router
(by using interface information from the debug statement). In
interfaces
where there are many possible orignations (eg; a FDDI), then dostrack
will
spawn a separate login for every router attached to that medium
(using "show arp").
For point-to-point connections, or connections where arp data
isn't available (eg; HSSI), then dostrack will attempt to read
data from a circuits file, or from user inputed data.
...
Ilya Shulman wrote:
>
> Интересно, а кто-нить уже пробовал эту программку или нет? Я почитал их
> press release по этому поводу и
> кажется, она может быть полезной.
>
> ish
>
> ------
> Ilya Shulman ish@east.ru +7-095-956-4951 ISH-RIPN
> East Connection ISP, Moscow, Russia. http://www.east.ru
> -----Original Message-----
> From: Dale Drew <ddrew@mci.net>
> To: Alex Rubenstein <alex@nac.net>; nanog@merit.edu <nanog@merit.edu>
> Date: 2 ноября 1997 г. 14:29
> Subject: Re: Hello, mci?
>
> >The page is http://www.security.mci.net/dostracker
> >
> >It is also accessable from the main page;
> >
> >http://www.security.mci.net
> >
> >And email to "webmaster@www.security.mci.net" also
> >is in full working condition.
> >
> >I have created a link for http://www.security.mci.net/dostrack,
> >so that should now work as well.
> >
> >Dale
> >
> >
> >At 11:43 PM 11/1/97 -0500, Alex Rubenstein wrote:
> >>
> >>http://www.security.mci.net/dostrack
> >>
> >>
> >>
> >>Not Found
> >>
> >>The requested object was not found on this server.
> >>
> >>
> >>Hrmph. Where?
> >>
> >>
> >>
> >>
> >
> >
> > "Si Hoc Legere Scis Nimium Eruditionis Habes"
> >================================================================
> >
> >Dale Drew MCI Telecommunications
> >Sr. Manager internetMCI Security
> > Engineering
> >Voice: 703/715-7058 Internet: ddrew@mci.net
> >Fax: 703/715-7066 MCIMAIL: Dale_Drew/644-3335
> >
> >
> >
> >
>
> =============================================================================
> "inet-admins" Internet access mailing list. Maintained by East Connection ISP.
> Mail "unsubscribe inet-admins" to Majordomo@info.east.ru if you want to quit.
--
AE
=============================================================================
"inet-admins" Internet access mailing list. Maintained by East Connection ISP.
Mail "unsubscribe inet-admins" to Majordomo@info.east.ru if you want to quit.