[K12OSN] K12OSN a bit OT - how to deal witha DOS attack

Les Mikesell lesmikesell at gmail.com
Tue Sep 2 22:36:32 UTC 2008

Julius Szelagiewicz wrote:
> Dear Folks, and especially Terrell :-)
> 	I've experienced a nasty DOS attack last Friday. I am using a
> SonicWall Pro as a firewall (because I have some VPNs that my partners are
> unwilling to change). The firewall stops responding when the table
> controlling open connections gets full. All the PCs and terminals live
> behind LTSP server, the internet traffic is proxied to a Squid box on
> Comcast, the default goes through the Sonicwall.
> 	After some testing I've established that the attack happens when a
> node inside requests it. That is, no attack if i shut down eth0 on the
> server. Because everything goes through the server's eth1 (Squid too), i
> am having a very hard time figuring out how to find which devices are
> compromised. Everything goes through managed HP ProCurve switches, which
> is not as helpful as one might think.
> 	How do I go about finding out where the attack originates inside
> and where it is coming from on the outside? should I try to dump all the
> network traffic on eth0 and eth1 to disk? How (tcpdump)? Won't it slow the
> server to a crawl? Should I put a little Linux box between the server and
> the network just to capture the traffic? Should I put another HP switch
> for the same purpose? What to do with captured traffic?
> 	Any input will be very welcome. julius

First, don't jump to conclusions about this being an attack - it is 
fairly easy to create a routing loop with VPN's and NAT that blow things 
up unintentionally.  Try a quick wireshark capture, then do 
statistics/endpoints, click the tcp tab and look at the list sorted by 
tx packets (the default, I think).  Another thing that can blow up nat 
tables is a client program that does frequent retries to an unresponsive 
server - you'll see connection attempts that keep using different source 
port numbers. Someone might have misconfigured an email client to 
connect every few seconds or something like that.

   Les Mikesell
    lesmikesell at gmail.com

More information about the K12OSN mailing list