[K12OSN] K12OSN a bit OT - how to deal witha DOS attack

[Les Mikesell]

Julius Szelagiewicz wrote:
>
>> First, don't jump to conclusions about this being an attack - it is
>> fairly easy to create a routing loop with VPN's and NAT that blow things
>> up unintentionally.  Try a quick wireshark capture, then do
>> statistics/endpoints, click the tcp tab and look at the list sorted by
>> tx packets (the default, I think).  Another thing that can blow up nat
>> tables is a client program that does frequent retries to an unresponsive
>> server - you'll see connection attempts that keep using different source
>> port numbers. Someone might have misconfigured an email client to
>> connect every few seconds or something like that.
>>
>> --
> Les, I grant you your points, but ...
> 32000 connections in 25 seconds, disconnecting all the windoze crap cures
> the problem ...
> I see it as an attack in the sense that I have an undiscovered virus or
> trojan.
> Time to learn wireshark.

If it is a virus, the source IPs may be faked, especially on UDP 
packets.  Try looking at the MAC addresses - but doing a short capture, 
then Statistics is still the place to start.  It's probably easier to 
work with the numeric MAC address so go to View/Name Resolution/ and 
uncheck the MAC layer (otherwise it tries to show the NIC vendor).  Then 
Statistics/endpoints/ethernet should show the busy talkers.

Ntop is also very good for quickly sorting out the sources of different 
kinds of network activity but it can be a little harder to keep running 
than wireshark.

Also, this is the time that it would be really handy to have set up 
something like ocsinventory (http://www.ocsinventory-ng.org/) so you'd 
already know the NIC MAC addresses.  Otherwise you may have to hunt them 
down following the mac table entries on your switches.

-- 
   Les Mikesell
    lesmikesell at gmail.com