[K12OSN] K12OSN a bit OT - how to deal witha DOS attack
Les Mikesell
lesmikesell at gmail.com
Tue Sep 2 22:36:32 UTC 2008
Julius Szelagiewicz wrote:
> Dear Folks, and especially Terrell :-)
> I've experienced a nasty DOS attack last Friday. I am using a
> SonicWall Pro as a firewall (because I have some VPNs that my partners are
> unwilling to change). The firewall stops responding when the table
> controlling open connections gets full. All the PCs and terminals live
> behind LTSP server, the internet traffic is proxied to a Squid box on
> Comcast, the default goes through the Sonicwall.
>
> After some testing I've established that the attack happens when a
> node inside requests it. That is, no attack if i shut down eth0 on the
> server. Because everything goes through the server's eth1 (Squid too), i
> am having a very hard time figuring out how to find which devices are
> compromised. Everything goes through managed HP ProCurve switches, which
> is not as helpful as one might think.
>
> How do I go about finding out where the attack originates inside
> and where it is coming from on the outside? should I try to dump all the
> network traffic on eth0 and eth1 to disk? How (tcpdump)? Won't it slow the
> server to a crawl? Should I put a little Linux box between the server and
> the network just to capture the traffic? Should I put another HP switch
> for the same purpose? What to do with captured traffic?
>
> Any input will be very welcome. julius
First, don't jump to conclusions about this being an attack - it is
fairly easy to create a routing loop with VPN's and NAT that blow things
up unintentionally. Try a quick wireshark capture, then do
statistics/endpoints, click the tcp tab and look at the list sorted by
tx packets (the default, I think). Another thing that can blow up nat
tables is a client program that does frequent retries to an unresponsive
server - you'll see connection attempts that keep using different source
port numbers. Someone might have misconfigured an email client to
connect every few seconds or something like that.
--
Les Mikesell
lesmikesell at gmail.com
More information about the K12OSN
mailing list