Re: recover from possible DOS attack!

From: Johannes B. Ullrich (jullrich@euclidian.com)
Date: 10/17/01

• Previous message: Robert Clark: "RE: How do I keep anonymous?"
• In reply to: Gavin: "recover from possible DOS attack!"
• Next in thread: Golden_Eternity: "RE: recover from possible DOS attack!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 17 Oct 2001 13:04:56 -0400 (EDT)
From: "Johannes B. Ullrich" <jullrich@euclidian.com>
To: Gavin <gauin_36@d3.dion.ne.jp>
Subject: Re: recover from possible DOS attack!
Message-ID: <Pine.LNX.4.33.0110171302090.12204-100000@johannes.euclidian.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> I work at a small company and for the last 4 days our small network (4
> computers!!!) could not and still can not get online, I told my boss it might
> be a DOS (Denial of service) attack. all the files seem to be OK but I just
> cant get donline, Question, how do you recover from this type of attack??
>
> The OS's are Windows ME and windows 2000 the other boxes are linux (Mandrake
> and RedHat) all connected via a router. My friend told me to just reset the
> router connection (internet connection) and all will be well, but I just want
> some expert advice before doing so. I hope to hear from someone soon.
>

Reseting the router may be a good first step. There are a number of
reasons why you could lose your internet connection. If reseting the
router doesn't help, and calling the tech support for your ISP fails,
setup a sniffer to see what kind of traffic you have hitting the router.
Try to find patterns and see if it matches known DOS attacks. Many DOS
attacks follow certain patterns (e.g. from certain sources or traffic
type). Block this traffic on your router.

You may need the cooperation of your ISP as they may have to block the
traffic so it does not fill up the line to your router.

- --
- -------
jullrich@sans.org Join http://www.DShield.org
                          Distributed Intrusion Detection System

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7zbo6VOIizK5pIDMRAmWPAKCojELh4nGajcTziV9PjTxYA3+BtQCfbkxH
aAeaug3cYtzTGuDBSafOBb8=
=axxq
-----END PGP SIGNATURE-----

---

• Previous message: Robert Clark: "RE: How do I keep anonymous?"
• In reply to: Gavin: "recover from possible DOS attack!"
• Next in thread: Golden_Eternity: "RE: recover from possible DOS attack!"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Outpost attack from 192.168.1.47!? ... So how can a machine that has a private LAN ... >side IP behind the router have a DOS attack from a machine on the Internet ... (comp.security.firewalls) [Full-disclosure] RE: RLA ("Remote LanD Attack") ... if the router of my internet provider has ACL's to deny ... and the LAND attack no longer works. ... hping2 on Comcast Cable connection behind Linksys Router ... (Full-Disclosure) [NEWS] Denial of Service Vulnerability in SMC Networks Barricade Wireless Router ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Latest attack techniques. ... Stateful Packet Inspection firewall security, network management, ... the router remains unresponsive to requests on the ... (Securiteam) RE: recover from possible DOS attack! ... recover from possible DOS attack! ... If it is a Cisco router you can check and see what's going on ... A good ip to ping is your ISP's end of your Internet connection. ... (Security-Basics) Re: security issue. ... the ISP now has a BCC of this email. ... > pings to and from the server at the router by putting in an ACL on ... >> For the past few days, i had troubles connecting to my KIFCO server ... >> Which consider a PORTSCAN and an ATTACK. ... (freebsd-questions)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)