[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] K12OSN a bit OT - how to deal witha DOS attack



Julius Szelagiewicz wrote:

First, don't jump to conclusions about this being an attack - it is
fairly easy to create a routing loop with VPN's and NAT that blow things
up unintentionally.  Try a quick wireshark capture, then do
statistics/endpoints, click the tcp tab and look at the list sorted by
tx packets (the default, I think).  Another thing that can blow up nat
tables is a client program that does frequent retries to an unresponsive
server - you'll see connection attempts that keep using different source
port numbers. Someone might have misconfigured an email client to
connect every few seconds or something like that.

--
Les, I grant you your points, but ...
32000 connections in 25 seconds, disconnecting all the windoze crap cures
the problem ...
I see it as an attack in the sense that I have an undiscovered virus or
trojan.
Time to learn wireshark.

If it is a virus, the source IPs may be faked, especially on UDP packets. Try looking at the MAC addresses - but doing a short capture, then Statistics is still the place to start. It's probably easier to work with the numeric MAC address so go to View/Name Resolution/ and uncheck the MAC layer (otherwise it tries to show the NIC vendor). Then Statistics/endpoints/ethernet should show the busy talkers.

Ntop is also very good for quickly sorting out the sources of different kinds of network activity but it can be a little harder to keep running than wireshark.

Also, this is the time that it would be really handy to have set up something like ocsinventory (http://www.ocsinventory-ng.org/) so you'd already know the NIC MAC addresses. Otherwise you may have to hunt them down following the mac table entries on your switches.

--
  Les Mikesell
   lesmikesell gmail com


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]