Security Incidents mailing list archives
Re: DoS "Probing" on one of our hosts
From: Christopher Kunz <chrislist () de-punkt de>
Date: Mon, 30 Jun 2003 18:47:31 +0200
Chris Calvert wrote:
DoS attack duration can vary considerably. I've seen attacks that last over a day or two, it really depends on how persistent the attacker is and how robust the target is. 100 Mbit attacks might bring down a small hosting service, or get shrugged off by a target on a larger pipe.
Right. Although our service provider seems to have a quite robust connection, the bottle neck is of course our rack's uplink.
Get a capture of the traffic and do some analysis. help analyzing the traffic. For example, you might be getting hit withhuge packets which saturate your Internet connection and/or inbound interface, or you may be getting hit with small packets but at a packet/second rate that your switch, modem, interface, or whatever cannot handle. There may be no signatures to detect, you might simply be the target of a brute force traffic DoS.
I suspect (after ruling out having a warez distro site on the box) the latter. Our uplink provider monitors traffic for us and the spikes are there - it's not that our uplink switch just stops working (as it would if too many packets per second came in), the traffic really is there. So my wild guess was that we were just ping -f'ed, stacheldrahted or something like that. --ck -- php development | hosting | housing | professional game server hosting http://www.de-punkt.de [ chris () de-punkt de ] http://www.stormix.de +49 511 1237504 | +49 511 1237505 | laportestr. 2a, 30449 hannover.de Filoo auf dem Linuxtag 2003 (F15) - http://www.de-punkt.de/lt2003.php ----------------------------------------------------------------------------Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com
----------------------------------------------------------------------------
Current thread:
- DoS "Probing" on one of our hosts Christopher Kunz (Jun 29)
- Re: DoS "Probing" on one of our hosts Chris Calvert (Jun 30)
- Re: DoS "Probing" on one of our hosts Christopher Kunz (Jun 30)
- Re: DoS "Probing" on one of our hosts Edward Balas (Jun 30)
- Re: DoS "Probing" on one of our hosts Christopher Kunz (Jun 30)
- <Possible follow-ups>
- re: DoS "Probing" on one of our hosts Harlan Carvey (Jun 30)
- Re: DoS "Probing" on one of our hosts Christopher Kunz (Jun 30)
- RE: DoS "Probing" on one of our hosts Donald Voss (Jun 30)
- Re: DoS "Probing" on one of our hosts Christopher Kunz (Jun 30)
- Re: DoS "Probing" on one of our hosts Christopher Kunz (Jun 30)
- Re: DoS "Probing" on one of our hosts Chris Calvert (Jun 30)
- RE: DoS "Probing" on one of our hosts Keith T. Morgan (Jun 30)
- RE: DoS "Probing" on one of our hosts King, Brian (Jun 30)
- Re: DoS "Probing" on one of our hosts Christopher Kunz (Jun 30)
- RE: DoS "Probing" on one of our hosts Cook, Christopher S. (Jun 30)