[K12OSN] K12OSN a bit OT - how to deal witha DOS attack

Les Mikesell lesmikesell at gmail.com
Wed Sep 3 15:13:13 UTC 2008

Julius Szelagiewicz wrote:
>> First, don't jump to conclusions about this being an attack - it is
>> fairly easy to create a routing loop with VPN's and NAT that blow things
>> up unintentionally.  Try a quick wireshark capture, then do
>> statistics/endpoints, click the tcp tab and look at the list sorted by
>> tx packets (the default, I think).  Another thing that can blow up nat
>> tables is a client program that does frequent retries to an unresponsive
>> server - you'll see connection attempts that keep using different source
>> port numbers. Someone might have misconfigured an email client to
>> connect every few seconds or something like that.
>> --
> Les, I grant you your points, but ...
> 32000 connections in 25 seconds, disconnecting all the windoze crap cures
> the problem ...
> I see it as an attack in the sense that I have an undiscovered virus or
> trojan.
> Time to learn wireshark.

If it is a virus, the source IPs may be faked, especially on UDP 
packets.  Try looking at the MAC addresses - but doing a short capture, 
then Statistics is still the place to start.  It's probably easier to 
work with the numeric MAC address so go to View/Name Resolution/ and 
uncheck the MAC layer (otherwise it tries to show the NIC vendor).  Then 
Statistics/endpoints/ethernet should show the busy talkers.

Ntop is also very good for quickly sorting out the sources of different 
kinds of network activity but it can be a little harder to keep running 
than wireshark.

Also, this is the time that it would be really handy to have set up 
something like ocsinventory (http://www.ocsinventory-ng.org/) so you'd 
already know the NIC MAC addresses.  Otherwise you may have to hunt them 
down following the mac table entries on your switches.

   Les Mikesell
    lesmikesell at gmail.com

More information about the K12OSN mailing list