Security Incidents mailing list archives
Re: DoS "Probing" on one of our hosts
From: Chris Calvert <chris () idaemon ca>
Date: 30 Jun 2003 07:32:01 -0600
Hi Chris DoS attack duration can vary considerably. I've seen attacks that last over a day or two, it really depends on how persistent the attacker is and how robust the target is. 100 Mbit attacks might bring down a small hosting service, or get shrugged off by a target on a larger pipe. Get a capture of the traffic and do some analysis. If you are being hammered with a connectionless protocol such as UDP or ICMP then there is no way for you, the destination of the traffic, to determine the source if it has been spoofed, however you might be able to get useful data from a capture regardless. Try tools such as Ethereal,for a bit of help analyzing the traffic. For example, you might be getting hit with huge packets which saturate your Internet connection and/or inbound interface, or you may be getting hit with small packets but at a packet/second rate that your switch, modem, interface, or whatever cannot handle. There may be no signatures to detect, you might simply be the target of a brute force traffic DoS. Regards, Chris On Sun, 2003-06-29 at 14:41, Christopher Kunz wrote:
Hey, we have been encountering three short DoS attacks during the weekend - each one around 1 hour in length and with about 100mbit worth of bandwidth. So far, we've yet to determine even the most basic stuff, since we don't seem to have any logging. I have two questions regarding this: 1. isn't one hour a pretty short time for a DoS? I've seen attacks on other nets lasting for hours, sometimes up to a day... 2. is there any tool to determine the source IPs of the attack (even if they're spoofed, I'd like to see _anything_)? Snort sits on the attacked host and happily reports SQL/Slammer and other trivial stuff, but goes through one of the attacks without picking any signatures up. Regards, --ck
-- Chris Calvert <chris () idaemon ca> ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
Current thread:
- DoS "Probing" on one of our hosts Christopher Kunz (Jun 29)
- Re: DoS "Probing" on one of our hosts Chris Calvert (Jun 30)
- Re: DoS "Probing" on one of our hosts Christopher Kunz (Jun 30)
- Re: DoS "Probing" on one of our hosts Edward Balas (Jun 30)
- Re: DoS "Probing" on one of our hosts Christopher Kunz (Jun 30)
- <Possible follow-ups>
- re: DoS "Probing" on one of our hosts Harlan Carvey (Jun 30)
- Re: DoS "Probing" on one of our hosts Christopher Kunz (Jun 30)
- RE: DoS "Probing" on one of our hosts Donald Voss (Jun 30)
- Re: DoS "Probing" on one of our hosts Christopher Kunz (Jun 30)
- Re: DoS "Probing" on one of our hosts Christopher Kunz (Jun 30)
- Re: DoS "Probing" on one of our hosts Chris Calvert (Jun 30)
- RE: DoS "Probing" on one of our hosts Keith T. Morgan (Jun 30)
- RE: DoS "Probing" on one of our hosts King, Brian (Jun 30)
- Re: DoS "Probing" on one of our hosts Christopher Kunz (Jun 30)