re: DoS "Probing" on one of our hosts

From: Harlan Carvey <keydet89(at)yahoo.com>
Date: Sun Jun 29 2003 - 19:27:03 EDT

Chris,

A couple of quick questions for clarification...

> So far, we've yet to determine even the most basic
stuff

First, if you don't even have "the most basic stuff", how do you know that this was a DoS attack? Could it have been a network outage, perhaps from the ISP?

Second, by definition, a probe and a DoS attack are two wildly disparate events.

> is there any tool to determine the source IPs of the

> attack (even if they're spoofed,

I'm not sure that you're really aware of what you're asking.

> Snort sits on the attacked host and happily reports
through
> one of the attacks without picking any signatures
up.

Snort takes action based on it's
signatures...therefore, this "attack" would not have been logged if the signatures for it were not in the snort config file.

I'm very interested to see what information you can provide on this event, to show that it was, in fact, a DoS attack.

Thanks,

Harlan

---

Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com

---

Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the world's premier technical IT security event! 10 tracks, 15 training sessions, 1,800 delegates from 30 nations including all of the top experts, from CSO's to "underground" security specialists. See for yourself what the buzz is about! Early-bird registration ends July 3. This event will sell out. www.blackhat.com

---

Received on Mon Jun 30 11:11:53 2003