re: DoS "Probing" on one of our hosts

From: Harlan Carvey (keydet89_at_yahoo.com)
Date: 06/30/03

  • Next message: Christopher Kunz: "Re: DoS "Probing" on one of our hosts" 
    Date: Sun, 29 Jun 2003 16:27:03 -0700 (PDT)
To: incidents@securityfocus.com

    Chris,

    A couple of quick questions for clarification...

    > So far, we've yet to determine even the most basic
    stuff

    First, if you don't even have "the most basic stuff",
    how do you know that this was a DoS attack? Could it
    have been a network outage, perhaps from the ISP?

    Second, by definition, a probe and a DoS attack are
    two wildly disparate events.

    > is there any tool to determine the source IPs of the

    > attack (even if they're spoofed,

    I'm not sure that you're really aware of what you're
    asking.

    > Snort sits on the attacked host and happily reports
    > SQL/Slammer and other trivial stuff, but goes
    through
    > one of the attacks without picking any signatures
    up.

    Snort takes action based on it's
    signatures...therefore, this "attack" would not have
    been logged if the signatures for it were not in the
    snort config file.

    I'm very interested to see what information you can
    provide on this event, to show that it was, in fact, a
    DoS attack.

    Thanks,

    Harlan

    __________________________________
    Do you Yahoo!?
    SBC Yahoo! DSL - Now only $29.95 per month!
    http://sbc.yahoo.com

    ----------------------------------------------------------------------------
    Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
    world's premier technical IT security event! 10 tracks, 15 training sessions,
    1,800 delegates from 30 nations including all of the top experts, from CSO's to
    "underground" security specialists. See for yourself what the buzz is about!
    Early-bird registration ends July 3. This event will sell out. www.blackhat.com
    ----------------------------------------------------------------------------

  • Next message: Christopher Kunz: "Re: DoS "Probing" on one of our hosts"