Troubleshooting of Network DoS attacks (CISCO)

DOS: the abbreviation Of Denial Of Service. DOS means that a device is in full load and cannot accept new tasks. The Service provider must wait. DOS attacks can be exploited by attackers to stop the target machine from providing services or accessing resources. These resources include disk space, memory, processes, and even network bandwidth, thus blocking normal user access.
When many large data packets are on your network, the source of these data packets is uncertain, or even a PC, which can lead to network stagnation. In the worst case, the network will be interrupted.

To determine which machine in the network is receiving or sending these suspicious large data packets, the network administrator can start the ip accounting output-packets command on the router interface. Of course, you do not need to start it on all interfaces. You only need to configure it on interfaces that suspect suspicious traffic has passed. Then we use the show ip accounting output-packets command to observe the real-time results. We can observe the situation of each data packet so that we can judge the host with a problem. The following is a brief introduction to how to implement this method and related commands.
Router (config) # interface FastEthernet 0/1
Router (config-if) # ip accounting output-packets
Router # show ip accounting output-packets

Router # show ip accounting
Source Destination Packets Bytes
131.108.19.40 192.67.67.20 7 306
131.108.13.55 192.67.67.20 67 2749
131.108.2.50 192.12.33.51 17 17 1111
131.108.2.50 130.93.2.1 5 319
131.108.2.50 130.93.1.1.2 463 30991
131.108.19.40 130.93.2.1 four 262
131.108.19.40 130.93.1.2 28 2552
131.108.20.2 128.18.6.100 39 2184
131.108.13.55 130.93.1.2 35 3020.
131.108.19.40 192.12.33.51 1986 95091
131.108.2.50 192.67.67.20 233 14908
131.108.13.28 192.67.67.53 390 24817
131.108.13.55 192.12.33.51 214669 9806659
131.108.13.111 128.18.6.23 27739 1126607
131.108.13.44 192.12.33.51 35412 1523980
192.31.7.21 130.93.1.2 11 824
131.108.13.28 192.12.33.2 21 1762
131.108.20.6 192.31.7.130 797 141054
131.108.3.11 192.67.67.53 4 246
192.31.7.21 192.12.33.51 15696 695635
192.31.7.24 192.67.67.20 21 916
131.108.13.111 128.18.10.1 1137
Accounting threshold exceeded for 7 packets and 433 bytes
The output parameter indicates that only packages with successful routes are displayed.

If the device supports NetFlow, it is more convenient to use NetFlow. The NetFlow method must be implemented on the device's inbound interface. From the statistics made by NetFlow, you can easily determine the protocol of the problematic package. To activate NetFlow, run the ip route-cache flow command on the interface in question. If the device does not support the NetFlow method, you have to use the ip accounting method.