Hello Cecelia,
We did have the same problem. The System Administrator
indicated that it was his PC and he did not find any problem. Then
about a day later,
a Network Administrator found a virus on that PC. One group was not
worried about it (PC people), but the Network people were as network
performance was taking a hit.
Finally, we did a DOS from a Network system that was checking
for unused IP addresses. The system would go out every 4 hours had ping
50-100 times to determine what addresses were really being used.
They adjusted it down to 2 every 5 hours for the next couple of
days.
H1 0088 00C7: IPC108I ICMP Echo request has been received from: 10.0.0.8
H1 0088 00C7: IPC108I ICMP Echo request has been received from:
21:30:44
H1 0088 10.1.32.68
21:30:44
H1 0088 00C7: IPC108I ICMP Echo request has been received from:
21:30:44
H1 0088 10.1.32.68
21:30:44
H1 0088 00C7: IPC108I ICMP Echo request has been received from: 10.0.0.8
H1 0088 00C7: IPC108I ICMP Echo request has been received from:
02:32:08
H1 0088 10.1.32.68
02:32:08
H1 0088 00C7: IPC108I ICMP Echo request has been received from:
02:32:08
H1 0088 10.1.32.68
02:32:08
Ask your network people how they handle DOS attacks?
Ed Martin
Aultman Health Foundation
330-588-4723
[EMAIL PROTECTED]
ext. 40441
> -----Original Message-----
> From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED]
On
> Behalf Of Dusha, Cecelia CIV WHS/ITMD
> Sent: Wednesday, May 23, 2007 1:36 PM
> To: [email protected]
> Subject: TCPIP Denial of Service
>
> The following message is appearing within all TCPIP logs:
> DTCIPU086I A denial-of-service attack has been detected
>
> netstat dos
>
> VM TCP/IP Netstat Level 510
>
> Maximum Number of Half Open Connections: 256
>
> Denial of service attacks:
>
> Attacks Elapsed
> Attack
> Attack IP Address Detected Time
> Duration
> -------- --------------------------------------- --------- ---------
> ---------
> Smurf-IC xxx.xxx.xxx.2 3 6:27:33
> 3:49:01
> xxx.xxx.xxx.3 3 6:23:37
> 3:49:04
> Ready; T=0.02/0.03 13:11:31
>
>
> The first occurance of the DoS message first appears at 6:25 am every
day.
>
> The strange thing about these DoSs is:
> Defaultnet is xxx.xxx.xxx.1
> Usable IPs start at xxx.xxx.xxx.4
>
> I have asked our network group what is occurring at 6:25 each day. I
was
> told it was not a true DoS because it was within the network for the
> mainframe... That may be the case, but every day at 6:25 a DoS occurs
and
> repeats throughout the day.
>
> I have scanned the TCPIP configuration options to see if there was
> something
> that could trigger this. I didn't find anything. Did I miss
something?
> Could the TCPIP configuration trigger DoSs? If so, what do I need to
look
> for so that they do not occur?
>
> Thank you.
>
> Cecelia Dusha
