re: DoS "Probing" on one of our hosts

[Harlan Carvey <keydet89 () yahoo com>]

Chris,

A couple of quick questions for clarification...

> So far, we've yet to determine even the most basic
stuff

First, if you don't even have "the most basic stuff",
how do you know that this was a DoS attack?  Could it
have been a network outage, perhaps from the ISP?

Second, by definition, a probe and a DoS attack are
two wildly disparate events.

> is there any tool to determine the source IPs of the

> attack (even if they're spoofed,  

I'm not sure that you're really aware of what you're
asking.  

> Snort sits on the  attacked host and happily reports
> SQL/Slammer and other trivial stuff, but goes
through
> one of the attacks without picking any signatures
up.

Snort takes action based on it's
signatures...therefore, this "attack" would not have
been logged if the signatures for it were not in the
snort config file.

I'm very interested to see what information you can
provide on this event, to show that it was, in fact, a
DoS attack.  

Thanks,

Harlan


__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com

----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------