Re: DoS "Probing" on one of our hosts

[Christopher Kunz <chrislist () de-punkt de>]

King, Brian wrote:

> without any idea of what kind of traffic it was, I would not assume
> anything. For one thing, can you prove that the traffic was externally
> generated? Looking at how aggressively slammer scanned, I would not
> discount that the traffic could be generated by a worm within your
> network.  Without knowing the destination of the "DOS" packets, you
> can't tell if it was a routing messup that sent a torrent of data to
> you.  

I can discount that. The traffic is inbound on the switch to our network
segment, so it is at least not generated inside our rack.

> Then again, it could be someone on your internal network probing to see
> how much they can slow down Yahoo using your bandwidth. 

I don't get that. If someone would be using my bandwidth, how come I see
100 mbit INBOUND, not OUTBOUND?

To clarify all this a bit, I have uploaded our uplink provider's rrdtool
image for the last 24 hours to
http://www.christopher-kunz.de/images/dos_1.png

The other two spikes are very similar in height and length.

--ck

--
php development | hosting |  housing | professional game server hosting
http://www.de-punkt.de   [ chris () de-punkt de ]    http://www.stormix.de
+49 511 1237504 | +49 511 1237505 | laportestr. 2a, 30449 hannover.de
Filoo auf dem Linuxtag 2003 (F15) - http://www.de-punkt.de/lt2003.php




----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------