|
-
June 5th, 2003, 12:32 PM
#11
In order to analayze it, you would need a sniffer or protocol analyzer to take a look at the traffic destined for the machine as already mentioned by Networker. Your degree of understanding of networking will probably determine what tool you use. Ethereal uses a GUI for you to interact with. Also, there are tools like tcpdump/windump and snort - which is also an Open Source IDS that could help you to pick up and identify attacks like these (if it was an attack, of course) more efficiently. There are also a few personal firewalls that pick up and block the attacks. I think that BlackICE does this.
Opinions are like  holes - everybody\'s got\'em.
Smile 
-
June 5th, 2003, 01:54 PM
#12
If you think you are experiencing a DoS attack you can try the following.
Open up a cmd prompt and type in the following:
netstat -n -p tcp
This will show you all the active tcp connections.
If you are indeed being DoSsed you will probably see alot of connections here stating 'syn_recieved'. If this is the case then you are probably experiencing a Syn flood attack, one of the most common used DoS attacks.
Win2K automatically monitors three counters that track the number of active TCP/IP ports and the number of ports in the half-open state to look for potential SYN attacks. When these counters exceed predefined thresholds, Win2K assumes that a SYN DoS attack is in progress. During a SYN DoS attack, TCP queries the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters subkey to determine how to respond. The subkey's SynAttackProtect entry determines the number of retries and the retry interval that TCP uses to time out a connection request. The SynAttackProtect entry has the type REG_DWORD and the value 0, 1, or 2.
Set the value to 1 or 2 on systems that connect directly to the Internet. These settings reduce the number of SYN-ACK retransmissions and the interval between them, which reduces the time that a system waits to time out valid and malicious connection requests. For the best protection against SYN DoS attacks, set the value to 2.
Set the SynAttackProtect entry to 1 or 2 for systems directly accessible from the Internet, especially those you don't protect with a firewall. (To verify that your firewall provides SYN attack and Ping of Death protection, check with the vendor.) Remember that when you implement this deterrent, you change the way the system responds to both valid and DoS connection requests.
Taken from:
http://www.secadministrator.com/Arti...eID=25027&pg=2
More interesting reading:
http://grc.com/dos/grcdos.htm
http://grc.com/dos/drdos.htm
-
June 5th, 2003, 05:20 PM
#13
Sure they're easy to trace if the attacker is a total idiot. Otherwise, good luck.
-Maestr0
\"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier
-
June 5th, 2003, 08:55 PM
#14
Member
good luck indeed. are not most DoS attacks using spoofed packets?
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote