Security Basics mailing list archives
RE: DOS attacks
From: "Gary Freeman" <Gary.Freeman () rci rogers com>
Date: Fri, 6 Aug 2004 13:55:34 -0400
Hi Paul (we're family :-) I would do one of two things (that we've done successfully for Ted's homepage in the past): 1) Place a snort probe on the same vlan that your web servers are running on and run the signatures geared toward Stream4 HTTP decode and Web attacks. Load SnortSnarf locally to generate reports right to an apache website that can be cron'd every hour if you like. 2) Build a Honeypot and place it into your web DMZ as a sacrificial lamb. Attackers will think it's the real thing and can even go as far as to get root, install root-kit and try to run an IRC or mirror off that box. If you don't have any IDS/IDP on your server DMZ or user segments then Cable should look into purchasing it. I've been running SNORT probes in all the DMZs, web access and VPN blocks for two years now and since our last worm outbreak the CIOs have taken an interest in replacing them with a supported solution. Give me a call if you'd like (name's on the GAL)... Gary Freeman Network Security Specialist RSS-IT Security Planning ******************************************** This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, do not read the contents and delete it immediately. ******************************************** -----Original Message----- From: Paul Ryan (Wave) Sent: Friday, August 06, 2004 12:27 PM To: security-basics () securityfocus com Subject: DOS attacks Importance: High Are there any forensic type tools to assist me in the following situation. I have a small group of my Internet customers attacking an external web server. Rather than just cut them off - I've spoken to the server admin and received his syslogs.. what I would like to do is to get to the root cause - whether it be purposely or a worm/Trojan.. Thus far - I've retina/nessus scanned, profiled the traffic to the server (to get a packet/ bandwidth total) .is there anything else you can recommend ? Any comments will be greatly appreciated . Regards, paul ------------------------------------------------------------------------ --- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- DOS attacks Paul Ryan (Aug 06)
- Re: DOS attacks Miles Stevenson (Aug 09)
- <Possible follow-ups>
- RE: DOS attacks Michael Shirk (Aug 06)
- RE: DOS attacks Gary Freeman (Aug 09)