RE: DoS "Probing" on one of our hosts

To me, that pattern sounds a lot more like someone's hacked a server and set up a warez site. Granted, we don't know anything definitive, but if the high volume periods generally happen in the middle of the night, I wouldn't be surprised.

See if you can put a sniffer on the outbound connection (Sniffer is my commercial favorite) to find the endpoints. There are lots of reasons your IDS isn't raising alarms: the system that was hacked was already an FTP server, or if your IDS isn't monitoring common protocols from servers, or the IDS system doesn't see the traffic going to the hacked system, et al.

Chris Cook
Honeywell TSI

These are my opinions, not those of Honeywell.

-----Original Message-----
From: Christopher Kunz [mailto:chrislist@de-punkt.de] Sent: Monday, June 30, 2003 3:37 AM
To: incidents@securityfocus.com

Harlan Carvey wrote:
> I'm very interested to see what information you can
> provide on this event, to show that it was, in fact, a
> DoS attack.

Uhm, I'm quite positive that 97.8 mBit coming in through our uplink are a pretty good indicator for an attack.

And by "probing" I meant that maybe the attacker only tried to determine our maximum bandwidth for a larger-scale attack, since the DoSes stopped fairly soon without any outer influence.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

--ck

-- 
php development | hosting |  housing | professional game server hosting
http://www.de-punkt.de   [ 
chris(at)de-punkt.de ]    
http://www.stormix.de
+49 511 1237504 | +49 511 1237505 | laportestr. 2a, 30449 hannover.de
Filoo auf dem Linuxtag 2003 (F15) - 
http://www.de-punkt.de/lt2003.php


----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------

----------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
----------------------------------------------------------------------------