[K12OSN] K12OSN a bit OT - how to deal witha DOS attack
Les Mikesell
lesmikesell at gmail.com
Wed Sep 3 15:13:13 UTC 2008
Julius Szelagiewicz wrote:
>
>> First, don't jump to conclusions about this being an attack - it is
>> fairly easy to create a routing loop with VPN's and NAT that blow things
>> up unintentionally. Try a quick wireshark capture, then do
>> statistics/endpoints, click the tcp tab and look at the list sorted by
>> tx packets (the default, I think). Another thing that can blow up nat
>> tables is a client program that does frequent retries to an unresponsive
>> server - you'll see connection attempts that keep using different source
>> port numbers. Someone might have misconfigured an email client to
>> connect every few seconds or something like that.
>>
>> --
> Les, I grant you your points, but ...
> 32000 connections in 25 seconds, disconnecting all the windoze crap cures
> the problem ...
> I see it as an attack in the sense that I have an undiscovered virus or
> trojan.
> Time to learn wireshark.
If it is a virus, the source IPs may be faked, especially on UDP
packets. Try looking at the MAC addresses - but doing a short capture,
then Statistics is still the place to start. It's probably easier to
work with the numeric MAC address so go to View/Name Resolution/ and
uncheck the MAC layer (otherwise it tries to show the NIC vendor). Then
Statistics/endpoints/ethernet should show the busy talkers.
Ntop is also very good for quickly sorting out the sources of different
kinds of network activity but it can be a little harder to keep running
than wireshark.
Also, this is the time that it would be really handy to have set up
something like ocsinventory (http://www.ocsinventory-ng.org/) so you'd
already know the NIC MAC addresses. Otherwise you may have to hunt them
down following the mac table entries on your switches.
--
Les Mikesell
lesmikesell at gmail.com
More information about the K12OSN
mailing list