[K12OSN] K12OSN a bit OT - how to deal witha DOS attack

Julius Szelagiewicz julius at turtle.com
Wed Sep 3 00:09:34 UTC 2008

> Julius Szelagiewicz wrote:
>> Dear Folks, and especially Terrell :-)
>> 	I've experienced a nasty DOS attack last Friday. I am using a
>> SonicWall Pro as a firewall (because I have some VPNs that my partners
>> are
>> unwilling to change). The firewall stops responding when the table
>> controlling open connections gets full. All the PCs and terminals live
>> behind LTSP server, the internet traffic is proxied to a Squid box on
>> Comcast, the default goes through the Sonicwall.
>> 	After some testing I've established that the attack happens when a
>> node inside requests it. That is, no attack if i shut down eth0 on the
>> server. Because everything goes through the server's eth1 (Squid too), i
>> am having a very hard time figuring out how to find which devices are
>> compromised. Everything goes through managed HP ProCurve switches, which
>> is not as helpful as one might think.
>> 	How do I go about finding out where the attack originates inside
>> and where it is coming from on the outside? should I try to dump all the
>> network traffic on eth0 and eth1 to disk? How (tcpdump)? Won't it slow
>> the
>> server to a crawl? Should I put a little Linux box between the server
>> and
>> the network just to capture the traffic? Should I put another HP switch
>> for the same purpose? What to do with captured traffic?
>> 	Any input will be very welcome. julius
> First, don't jump to conclusions about this being an attack - it is
> fairly easy to create a routing loop with VPN's and NAT that blow things
> up unintentionally.  Try a quick wireshark capture, then do
> statistics/endpoints, click the tcp tab and look at the list sorted by
> tx packets (the default, I think).  Another thing that can blow up nat
> tables is a client program that does frequent retries to an unresponsive
> server - you'll see connection attempts that keep using different source
> port numbers. Someone might have misconfigured an email client to
> connect every few seconds or something like that.
> --
Les, I grant you your points, but ...
32000 connections in 25 seconds, disconnecting all the windoze crap cures
the problem ...
I see it as an attack in the sense that I have an undiscovered virus or
Time to learn wireshark.
Thank you, julius

More information about the K12OSN mailing list