Re: DoS "Probing" on one of our hosts

Hi Chris

DoS attack duration can vary considerably. I've seen attacks that last over a day or two, it really depends on how persistent the attacker is and how robust the target is. 100 Mbit attacks might bring down a small hosting service, or get shrugged off by a target on a larger pipe.

Get a capture of the traffic and do some analysis. If you are being hammered with a connectionless protocol such as UDP or ICMP then there is no way for you, the destination of the traffic, to determine the source if it has been spoofed, however you might be able to get useful data from a capture regardless. Try tools such as Ethereal,for a bit of help analyzing the traffic. For example, you might be getting hit with huge packets which saturate your Internet connection and/or inbound interface, or you may be getting hit with small packets but at a packet/second rate that your switch, modem, interface, or whatever cannot handle. There may be no signatures to detect, you might simply be the target of a brute force traffic DoS.

Regards,

Chris

On Sun, 2003-06-29 at 14:41, Christopher Kunz wrote:
> Hey,
>
> we have been encountering three short DoS attacks during the weekend -

-- 
Chris Calvert 


----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------