Security Incidents mailing list archives
Re: DoS "Probing" on one of our hosts
From: Edward Balas <ebalas () iu edu>
Date: Mon, 30 Jun 2003 09:37:03 -0500 (EST)
On Sun, 29 Jun 2003, Christopher Kunz wrote:
Hey, we have been encountering three short DoS attacks during the weekend - each one around 1 hour in length and with about 100mbit worth of bandwidth. So far, we've yet to determine even the most basic stuff, since we don't seem to have any logging. I have two questions regarding this:
1. isn't one hour a pretty short time for a DoS? I've seen attacks on other nets lasting for hours, sometimes up to a day...
Depends on the nature of the attack, from what I have seen this is not uncommen. Ive seen this type agaist IRC servers quite often.
2. is there any tool to determine the source IPs of the attack (even if they're spoofed, I'd like to see _anything_)? Snort sits on the attacked host and happily reports SQL/Slammer and other trivial stuff, but goes through one of the attacks without picking any signatures up.
If you have access to the netflow accounting data for the routers, then you can backtrace the traffic to the incomming network. Or if you dont, your ISP may. They probably wont be interesting in helping backtrack this given the short duration. Edward Balas
Regards, --ck
---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
Current thread:
- DoS "Probing" on one of our hosts Christopher Kunz (Jun 29)
- Re: DoS "Probing" on one of our hosts Chris Calvert (Jun 30)
- Re: DoS "Probing" on one of our hosts Christopher Kunz (Jun 30)
- Re: DoS "Probing" on one of our hosts Edward Balas (Jun 30)
- Re: DoS "Probing" on one of our hosts Christopher Kunz (Jun 30)
- <Possible follow-ups>
- re: DoS "Probing" on one of our hosts Harlan Carvey (Jun 30)
- Re: DoS "Probing" on one of our hosts Christopher Kunz (Jun 30)
- RE: DoS "Probing" on one of our hosts Donald Voss (Jun 30)
- Re: DoS "Probing" on one of our hosts Christopher Kunz (Jun 30)
- Re: DoS "Probing" on one of our hosts Christopher Kunz (Jun 30)
- Re: DoS "Probing" on one of our hosts Chris Calvert (Jun 30)
- RE: DoS "Probing" on one of our hosts Keith T. Morgan (Jun 30)
- RE: DoS "Probing" on one of our hosts King, Brian (Jun 30)
- Re: DoS "Probing" on one of our hosts Christopher Kunz (Jun 30)
- RE: DoS "Probing" on one of our hosts Cook, Christopher S. (Jun 30)
- RE: DoS "Probing" on one of our hosts Harlan Carvey (Jun 30)