Security Basics mailing list archives
Re: DOS Attack?
From: Mario Pascucci <ilpettegolo () yahoo it>
Date: Thu, 25 Nov 2004 23:14:08 +0100
Il gio, 2004-11-25 alle 03:22, Shawn Wall ha scritto:
Hi List, I'm currently experiencing network outages due to what appears to be DOS attacks. I'm running a wireless ISP using a Cisco 2611 and CBAC and I have a /24 public address range. During the outage I can see traffic from a single external host sending thousands of packets to a single internal host. I don't have port 80 inbound open in my ACLs so I don't understand how the external host is even able to contact the internal host to begin with. Secondly, how is it possible for an attack on 1 internal host to cripple the rest of my network? Any feedback would be welcome. Thanks.
Hi, consider that most worms (like Gaobot or SDbot or almost all *bot worms) uses connection from infected PC to attacker owned IRC server, to give control even if the PC is behind a firewall. Through this connection, the attacker can send "updates" to the viral code, or get data from the infected PC. If you can, check the kind of traffic and the TCP ports at the ends of the connection. Try to use a sniffer, if you can, to detect the type of connection and the direction of the traffic. HTH -- Mario "Reliant" Pascucci http://ilpettegolo.altervista.org/
Current thread:
- DOS Attack? Shawn Wall (Nov 26)
- Re: DOS Attack? Suramya Tomar (Nov 26)
- Re: DOS Attack? Mario Pascucci (Nov 27)
- Re: DOS Attack? Juan Carlos Jimenez Jamett (Nov 27)
- Re: DOS Attack? Anthony Boynes (Nov 27)
- RE: DOS Attack? David Gillett (Nov 29)
- <Possible follow-ups>
- RE: DOS Attack? David Gillett (Nov 29)
- RE: DOS Attack? Andrew Shore (Nov 29)