Wireshark-users: Re: [Wireshark-users] DoS packets?

From: "Sheahan, John" <John.Sheahan@xxxxxxxxxxxxx>
Date: Thu, 24 Apr 2008 16:37:19 -0400
A couple of questions:

1. do you know have a list of the top talkers to the server when you are 90% saturated? The web guys might be able to give you some stats from their logs.
2. Are the attacks coming from the same source IP address or multiple IP addresses?

As far as looking for signs of the attack, look for SYN floods or FIN attacks for starters.

You can turn on IP accounting on the Cisco router and find out which IP's are sending the most traffic to the router then put in a quick access list to block those IP's (if they are few in number, that is).

Also, I would get your ISP involved immediately and they can give you some help in isolating the unwanted traffic and should be able to black hole it upstream from your router.

john 


 

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Rafael Mejías
Sent: Thursday, April 24, 2008 4:30 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] DoS packets?

>what makes you think it's a denial of service attack, what are the symptoms?

First of all, the person in charge of the web server suggested a DoS attack. The Internet connection it's too slow and sometimes it won't connect at all, and when we disconnect the web server from the network, the connection speeds up.

The router indicates less than 20% of bandwidth ussage when we dettected a slow network (the web server is connected), but when we connect just one pc to the router, it indicates ussage of about 90%.

We registered more than 200000 packets in 10 minutes with only the servers connected (the internal LAN was shut down).
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users