Re: DoS "Probing" on one of our hosts

From: Chris Calvert (chrisat_private)
Date: Mon Jun 30 2003 - 06:32:01 PDT

Next message: Edward Balas: "Re: DoS "Probing" on one of our hosts"

Previous message: Christopher Kunz: "Re: DoS "Probing" on one of our hosts"
In reply to: Christopher Kunz: "DoS "Probing" on one of our hosts"
Next in thread: Christopher Kunz: "Re: DoS "Probing" on one of our hosts"
Next in thread: Edward Balas: "Re: DoS "Probing" on one of our hosts"
Reply: Christopher Kunz: "Re: DoS "Probing" on one of our hosts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Chris

DoS attack duration can vary considerably.  I've seen attacks that last
over a day or two, it really depends on how persistent the attacker is
and how robust the target is.  100 Mbit attacks might bring down a small
hosting service, or get shrugged off by a target on a larger pipe.

Get a capture of the traffic and do some analysis.  If you are being
hammered with a connectionless protocol such as UDP or ICMP then there
is no way for you, the destination of the traffic, to determine the
source if it has been spoofed, however you might be able to get useful
data from a capture regardless.  Try tools such as Ethereal,for a bit of
help analyzing the traffic. For example, you might be getting hit with
huge packets which saturate your Internet connection and/or inbound
interface, or you may be getting hit with small packets but at a
packet/second rate that your switch, modem, interface, or whatever
cannot handle.  There may be no signatures to detect, you might simply
be the target of a brute force traffic DoS.

Regards,

Chris

On Sun, 2003-06-29 at 14:41, Christopher Kunz wrote:
> Hey,
> 
> we have been encountering three short DoS attacks during the weekend - 
> each one around 1 hour in length and with about 100mbit worth of 
> bandwidth. So far, we've yet to determine even the most basic stuff, 
> since we don't seem to have any logging. I have two questions regarding 
> this:
> 1. isn't one hour a pretty short time for a DoS? I've seen attacks on 
> other nets lasting for hours, sometimes up to a day...
> 2. is there any tool to determine the source IPs of the attack (even if 
> they're spoofed, I'd like to see _anything_)? Snort sits on the attacked 
> host and happily reports SQL/Slammer and other trivial stuff, but goes 
> through one of the attacks without picking any signatures up.
> 
> Regards,
> 
> --ck
-- 
Chris Calvert <chrisat_private>

----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

Next message: Edward Balas: "Re: DoS "Probing" on one of our hosts"
Previous message: Christopher Kunz: "Re: DoS "Probing" on one of our hosts"
In reply to: Christopher Kunz: "DoS "Probing" on one of our hosts"
Next in thread: Christopher Kunz: "Re: DoS "Probing" on one of our hosts"
Next in thread: Edward Balas: "Re: DoS "Probing" on one of our hosts"
Reply: Christopher Kunz: "Re: DoS "Probing" on one of our hosts"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jun 30 2003 - 08:01:14 PDT