[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] K12OSN a bit OT - how to deal witha DOS attack



Julius Szelagiewicz wrote:
Dear Folks, and especially Terrell :-)
	I've experienced a nasty DOS attack last Friday. I am using a
SonicWall Pro as a firewall (because I have some VPNs that my partners are
unwilling to change). The firewall stops responding when the table
controlling open connections gets full. All the PCs and terminals live
behind LTSP server, the internet traffic is proxied to a Squid box on
Comcast, the default goes through the Sonicwall.

	After some testing I've established that the attack happens when a
node inside requests it. That is, no attack if i shut down eth0 on the
server. Because everything goes through the server's eth1 (Squid too), i
am having a very hard time figuring out how to find which devices are
compromised. Everything goes through managed HP ProCurve switches, which
is not as helpful as one might think.

	How do I go about finding out where the attack originates inside
and where it is coming from on the outside? should I try to dump all the
network traffic on eth0 and eth1 to disk? How (tcpdump)? Won't it slow the
server to a crawl? Should I put a little Linux box between the server and
the network just to capture the traffic? Should I put another HP switch
for the same purpose? What to do with captured traffic?

	Any input will be very welcome. julius

First, don't jump to conclusions about this being an attack - it is fairly easy to create a routing loop with VPN's and NAT that blow things up unintentionally. Try a quick wireshark capture, then do statistics/endpoints, click the tcp tab and look at the list sorted by tx packets (the default, I think). Another thing that can blow up nat tables is a client program that does frequent retries to an unresponsive server - you'll see connection attempts that keep using different source port numbers. Someone might have misconfigured an email client to connect every few seconds or something like that.

--
  Les Mikesell
   lesmikesell gmail com


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]