You know, from the looks of the traffic patterns you posted, there really seams no way but to lean towards a DoS. During the peak inbound, there was very little outgoing traffic at all. How can you have a warez FTP running under those circumstances? But in order to determine the type of DoS, you'll need a packet dump. I just hope there is another spike... #-----Original Message----- #From: Christopher Kunz [mailto:chrislist@de-punkt.de] #Sent: Monday, June 30, 2003 11:48 AM #To: incidentsat_private #Subject: Re: DoS "Probing" on one of our hosts # # #Chris Calvert wrote: #> DoS attack duration can vary considerably. I've seen #attacks that last #> over a day or two, it really depends on how persistent the #attacker is #> and how robust the target is. 100 Mbit attacks might bring #down a small #> hosting service, or get shrugged off by a target on a larger pipe. # #Right. Although our service provider seems to have a quite robust #connection, the bottle neck is of course our rack's uplink. # #> Get a capture of the traffic and do some analysis. #> help analyzing the traffic. For example, you might be #getting hit with #> huge packets which saturate your Internet connection and/or inbound #> interface, or you may be getting hit with small packets but at a #> packet/second rate that your switch, modem, interface, or whatever #> cannot handle. There may be no signatures to detect, you #might simply #> be the target of a brute force traffic DoS. # #I suspect (after ruling out having a warez distro site on the box) the #latter. Our uplink provider monitors traffic for us and the spikes are #there - it's not that our uplink switch just stops working (as it would #if too many packets per second came in), the traffic really is #there. So #my wild guess was that we were just ping -f'ed, stacheldrahted or #something like that. # #--ck # #-- #php development | hosting | housing | professional game server hosting #http://www.de-punkt.de [ chris@de-punkt.de ] http://www.stormix.de #+49 511 1237504 | +49 511 1237505 | laportestr. 2a, 30449 hannover.de #Filoo auf dem Linuxtag 2003 (F15) - http://www.de-punkt.de/lt2003.php # # # # #--------------------------------------------------------------- #------------- #Attend the Black Hat Briefings & Training, July 28 - 31 in Las #Vegas, the #world's premier technical IT security event! 10 tracks, 15 #training sessions, #1,800 delegates from 30 nations including all of the top #experts, from CSO's to #"underground" security specialists. See for yourself what the #buzz is about! #Early-bird registration ends July 3. This event will sell #out. www.blackhat.com #--------------------------------------------------------------- #------------- # ---------------------------------------------------------------------------- Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Jun 30 2003 - 13:44:00 PDT