[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: detecting a DDOS attack

From: Jason Dixon <jason dixongroup net>
To: Red Hat Mailing List <redhat-list redhat com>
Subject: Re: detecting a DDOS attack
Date: Fri Oct 31 09:42:01 2003

On Fri, 2003-10-31 at 09:38, Bill Tangren wrote:
> Hello all,
> 
> Our network had been VERY slow in the last two weeks. We have a T3 line, 
> but sftp transfer rates are down around 10kB/sec now. I suspect some 
> type of attack on our firewalls, though I've never heard of an attack 
> being sustained for so long.

They can go on indefinitely, if nobody does anything about it.

> Could someone tell me what to look for? My logs ( I run several servers 
> behind the firewall, but I don't administer the firewall itself) don't 
> show anything unusual that I can find. I have been examining web server 
> logs, and mail logs, and I scrutinize the output from LogWatch.
> 
> Where else should I look?

At your connection?  Why haven't you saked the firewall administrator to
review your traffic levels/types?  Obviously, if you're under ICMP flood
attack (for example), it's not going to show in your web or mail logs.

-- 
Jason Dixon, RHCE
DixonGroup Consulting
http://www.dixongroup.net

References:
- detecting a DDOS attack
  - From: Bill Tangren

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]