[K12OSN] K12OSN a bit OT - how to deal witha DOS attack

Julius Szelagiewicz julius at turtle.com
Tue Sep 2 21:20:44 UTC 2008

Dear Folks, and especially Terrell :-)
	I've experienced a nasty DOS attack last Friday. I am using a
SonicWall Pro as a firewall (because I have some VPNs that my partners are
unwilling to change). The firewall stops responding when the table
controlling open connections gets full. All the PCs and terminals live
behind LTSP server, the internet traffic is proxied to a Squid box on
Comcast, the default goes through the Sonicwall.

	After some testing I've established that the attack happens when a
node inside requests it. That is, no attack if i shut down eth0 on the
server. Because everything goes through the server's eth1 (Squid too), i
am having a very hard time figuring out how to find which devices are
compromised. Everything goes through managed HP ProCurve switches, which
is not as helpful as one might think.

	How do I go about finding out where the attack originates inside
and where it is coming from on the outside? should I try to dump all the
network traffic on eth0 and eth1 to disk? How (tcpdump)? Won't it slow the
server to a crawl? Should I put a little Linux box between the server and
the network just to capture the traffic? Should I put another HP switch
for the same purpose? What to do with captured traffic?

	Any input will be very welcome. julius

More information about the K12OSN mailing list