August 10th, 2007 12:54 PM
Am I being Dos'd?
I was curious as the what is the best way to determine if you are being dos'd if you a running a linux server. I browsed the forums but counldn't find a tutorial on it.
August 10th, 2007 01:32 PM
If you check your logs you should notice that you have packets coming in a certain time interval (like every 5 seconds) from the same IP (or range of IP if it's a bot farm).
Or it might just mean you got popular (or /.ed or dugg or whatever)
Did you piss someone off recently?
I was trying to find an example log file on the web to post but I found something better.
This is an article on Security Focus that explains how to Identify a DDos Attack (it also has an example log file on the page)
Hope that helps!
Last edited by Ippersiel; August 10th, 2007 at 01:35 PM.
August 10th, 2007 02:16 PM
What flavor of Linux? Some come with Ethereal installed natively...try that, or download it and sniff the incoming line.
August 10th, 2007 02:19 PM
Nice post\link Ippersiel
How people treat you is their karma- how you react is yours-Wayne Dyer
August 10th, 2007 02:33 PM
Thanks for the greenies (are they still called that?) It's nice to be back!
August 10th, 2007 06:27 PM
I haven't pissed anyone off yet. I work for a web hosting company and I'm just curious on what I would need to look for currently I just use our IDS to locate and filter attacks but I would like to increase my knowledge. While im not currently familiar with what version these boxes run I know most of them use Red Hat. Also we have freebsd boxes. By the way thank you for the information provided so far it is very helpful.
August 10th, 2007 07:12 PM
An easy solution for DoS attacks is TCP Intercept (I know some Cisco routers have this service...)---it proxy-SYN-ACK's a SYN request, and if it does not ACK back (as most DoS attacks do NOT), then the router drops the packet. Also, see if on the routing device if you can limit the number of half-open TCP connections.
August 10th, 2007 07:18 PM
I like how you said yet
Originally Posted by HackerSlayer
I'm not too familiar with these things, but if someone was being flooded by 10,000 connections, wouldn't that overload the TCP Intercept and in essence satisfy the DoS attack as well?
Originally Posted by c1sc0m4n
August 10th, 2007 07:19 PM
I may well be wrong, but as far as I am aware a DoS attack is a pretty crude event?
Like you are bigger than they are and win or they are bigger than you and you lose?
If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?
August 10th, 2007 07:30 PM
The perfect solutions would be to have anyone with a border router to not allow any traffic to exit there network that is not a source IP contained within their network, hence stopping spoofing, a technique used by zombies/trojans/virii. A majority of directed attacks use this technique
This would never happen of course, due to so many ISP's knowing close to nothing about security let alone how TCP/IP works
There are two rules for success in life:
Rule 1: Don't tell people everything you know.
By 4MidgetHitmen in forum AntiOnline's General Chit Chat
Last Post: November 14th, 2002, 02:50 AM