Hi Chris DoS attack duration can vary considerably. I've seen attacks that last over a day or two, it really depends on how persistent the attacker is and how robust the target is. 100 Mbit attacks might bring down a small hosting service, or get shrugged off by a target on a larger pipe. Get a capture of the traffic and do some analysis. If you are being hammered with a connectionless protocol such as UDP or ICMP then there is no way for you, the destination of the traffic, to determine the source if it has been spoofed, however you might be able to get useful data from a capture regardless. Try tools such as Ethereal,for a bit of help analyzing the traffic. For example, you might be getting hit with huge packets which saturate your Internet connection and/or inbound interface, or you may be getting hit with small packets but at a packet/second rate that your switch, modem, interface, or whatever cannot handle. There may be no signatures to detect, you might simply be the target of a brute force traffic DoS. Regards, Chris On Sun, 2003-06-29 at 14:41, Christopher Kunz wrote: > Hey, > > we have been encountering three short DoS attacks during the weekend - > each one around 1 hour in length and with about 100mbit worth of > bandwidth. So far, we've yet to determine even the most basic stuff, > since we don't seem to have any logging. I have two questions regarding > this: > 1. isn't one hour a pretty short time for a DoS? I've seen attacks on > other nets lasting for hours, sometimes up to a day... > 2. is there any tool to determine the source IPs of the attack (even if > they're spoofed, I'd like to see _anything_)? Snort sits on the attacked > host and happily reports SQL/Slammer and other trivial stuff, but goes > through one of the attacks without picking any signatures up. > > Regards, > > --ck -- Chris Calvert <chrisat_private> ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Jun 30 2003 - 08:01:14 PDT