Denial of Service attacks are well known in the security field, but in recent years distributed Denial of Service attacks have become more of a worry and a priority to ISPs. Recognizing when a DDoS attack is crossing your network is important, and being able to shut it down at your network's edge is even more so. But due to the increasing ease of spoofing the source IPs of a DDoS attack, correctly finding where the traffic is entering your network becomes more difficult. Rather than being able to traceroute via normal routing methods, most tracing of spoofed addresses has to be done hop by hop, one router at a time. In a large backbone, this can take hours, particularly when you consider that many DDoS attacks come from hundreds of different IP addresses.
There aren't many tools out there to aid NOCs in tracing these sorts of attacks. Indeed, many NOCs are still forced to trace attacks by hand. To address this problem, I have written a Perl script to trace DDoS attacks backwards through a Cisco-router network. The script can handle spoofed IPs, and will run both on Cisco's older routers (7500 series) and on their Gigabit Switch Routers. This talk will present the script and provide a guided tour through the code to explain how and why it works.