I was curious as the what is the best way to determine if you are being dos'd if you a running a linux server. I browsed the forums but counldn't find a tutorial on it.
Printable View
I was curious as the what is the best way to determine if you are being dos'd if you a running a linux server. I browsed the forums but counldn't find a tutorial on it.
If you check your logs you should notice that you have packets coming in a certain time interval (like every 5 seconds) from the same IP (or range of IP if it's a bot farm).
Or it might just mean you got popular (or /.ed or dugg or whatever)
Did you piss someone off recently? :)
Edit/Add:
I was trying to find an example log file on the web to post but I found something better.
http://www.securityfocus.com/infocus/1655
This is an article on Security Focus that explains how to Identify a DDos Attack (it also has an example log file on the page)
Hope that helps!
What flavor of Linux? Some come with Ethereal installed natively...try that, or download it and sniff the incoming line.
Tim
Nice post\link Ippersiel
BTW...welcome back ;)
MLF
Thanks for the greenies (are they still called that?) It's nice to be back!
I haven't pissed anyone off yet. I work for a web hosting company and I'm just curious on what I would need to look for currently I just use our IDS to locate and filter attacks but I would like to increase my knowledge. While im not currently familiar with what version these boxes run I know most of them use Red Hat. Also we have freebsd boxes. By the way thank you for the information provided so far it is very helpful.
An easy solution for DoS attacks is TCP Intercept (I know some Cisco routers have this service...)---it proxy-SYN-ACK's a SYN request, and if it does not ACK back (as most DoS attacks do NOT), then the router drops the packet. Also, see if on the routing device if you can limit the number of half-open TCP connections.
Tim
I like how you said yet :DQuote:
Originally Posted by HackerSlayer
I'm not too familiar with these things, but if someone was being flooded by 10,000 connections, wouldn't that overload the TCP Intercept and in essence satisfy the DoS attack as well?Quote:
Originally Posted by c1sc0m4n
I may well be wrong, but as far as I am aware a DoS attack is a pretty crude event?
Like you are bigger than they are and win or they are bigger than you and you lose?
:confused:
The perfect solutions would be to have anyone with a border router to not allow any traffic to exit there network that is not a source IP contained within their network, hence stopping spoofing, a technique used by zombies/trojans/virii. A majority of directed attacks use this technique
This would never happen of course, due to so many ISP's knowing close to nothing about security let alone how TCP/IP works