Re: DoS "Probing" on one of our hosts

From: Edward Balas (ebalas_at_iu.edu)
Date: 06/30/03

  • Next message: Keith T. Morgan: "RE: DoS "Probing" on one of our hosts" 
    Date: Mon, 30 Jun 2003 09:37:03 -0500 (EST)
To: chris@de-punkt.de

    On Sun, 29 Jun 2003, Christopher Kunz wrote:

    > Hey,
    >
    > we have been encountering three short DoS attacks during the weekend -
    > each one around 1 hour in length and with about 100mbit worth of
    > bandwidth. So far, we've yet to determine even the most basic stuff,
    > since we don't seem to have any logging. I have two questions regarding
    > this:

    > 1. isn't one hour a pretty short time for a DoS? I've seen attacks on
    > other nets lasting for hours, sometimes up to a day...

    Depends on the nature of the attack, from what I have seen this is not
    uncommen. Ive seen this type agaist IRC servers quite often.

    > 2. is there any tool to determine the source IPs of the attack (even if
    > they're spoofed, I'd like to see _anything_)? Snort sits on the attacked
    > host and happily reports SQL/Slammer and other trivial stuff, but goes
    > through one of the attacks without picking any signatures up.
    >

    If you have access to the netflow accounting data for the routers, then
    you can backtrace the traffic to the incomming network. Or if you dont,
    your ISP may. They probably wont be interesting in helping backtrack
    this given the short duration.

    Edward Balas
     
    > Regards,
    >
    > --ck
    >

    ----------------------------------------------------------------------------
    Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
    world's premier technical IT security event! 10 tracks, 15 training sessions,
    1,800 delegates from 30 nations including all of the top experts, from CSO's to
    "underground" security specialists. See for yourself what the buzz is about!
    Early-bird registration ends July 3. This event will sell out. www.blackhat.com
    ----------------------------------------------------------------------------

  • Next message: Keith T. Morgan: "RE: DoS "Probing" on one of our hosts"

    Relevant Pages

    • Re: DoS "Probing" on one of our hosts
      ... we now assume that the attacks we encountered ... during the weekend were tests for something bigger, ... We backtraced the traffic to two of our game server machines and saw ... world's premier technical IT security event! ...
      (Incidents)
    • Re: Is Remote Desktop vulnerable to brute force attacks?
      ... Your normal account security settings for the domain should handle ... Configure the maximum number of failed logon attempts before an ... I believe that there is a specific security event which in it's ... Can it sense such attacks? ...
      (microsoft.public.windows.terminal_services)
    • Re: Recent Gartner IDS/IPS report
      ... But still, an IDP is prone to false positives, in the same was as an IDS ... To my opinion it makes sense to block attacks which can be reliably ... world's premier technical IT security event! ...
      (Focus-IDS)
    • DoS "Probing" on one of our hosts
      ... we have been encountering three short DoS attacks during the weekend - ... world's premier technical IT security event! ...
      (Incidents)
    • Re: To clarify the link for CWShredder Update
      ... > available bandwidth limits despite lots and lots of hits. ... > And if this makes me a target for those attacks, ... the dust is settling; your understanding and support -in more ...
      (microsoft.public.windows.inetexplorer.ie6.browser)