I used the IP address to track down the offending MAC system. What other information would be available? Just curious.
____________________________ Jim Hughes 603-271-5586 "Its kind of fun to do the impossible." (Walt Disney) =>-----Original Message----- =>From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On =>Behalf Of Mike Walter =>Sent: Thursday, July 31, 2008 10:25 AM =>To: [email protected] =>Subject: Re: DOS attack details in => =>Thanks, Jim, => =>The source of this one-time attack is less important than getting clear =>documentation about _who/what_ is doing the attack _when_ it happens. =>I have no problem writing automation to gather the details no matter how =>many hoops I have to jump through - until I have to jump through what I =>then deem as "too many", at which point I'll whine about needing to =>improve the diagnostic process flow! :-)~ => =>But getting the details when they are available (we have the luxury of =>IPLing each Sunday night - and DO), and getting them to the "right people" =>nearer to the attack time: now IMHO, that's a worthy goal. => =>Mike Walter =>Hewitt Associates =>Any opinions expressed herein are mine alone and do not necessarily =>represent the opinions or policies of Hewitt Associates. => => => =>"Hughes, Jim" <[EMAIL PROTECTED]> => =>Sent by: "The IBM z/VM Operating System" <[email protected]> =>07/31/2008 09:05 AM =>Please respond to =>"The IBM z/VM Operating System" <[email protected]> => => => =>To =>[email protected] =>cc => =>Subject =>Re: DOS attack details in => => => => => => =>We had this DOS attack and tracked it back to a MAC computer on the =>network. It was doing some sort of broadcast network thing. I can supply =>the details if it's important to anyone. Not being a network wizard, I =>tend to forget the details. => =>____________________________ =>Jim Hughes =>603-271-5586 =>"Its kind of fun to do the impossible." (Walt Disney) => =>=>-----Original Message----- =>=>From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] =>On =>=>Behalf Of Mike Walter =>=>Sent: Thursday, July 31, 2008 9:28 AM =>=>To: [email protected] =>=>Subject: DOS attack details in =>=> =>=>Back on July 15, we experienced our first known Denial of Service =>"attack" =>=>(more likely a problem server). =>=>I reported it to our Internet Security group including: =>=> =>=>From the nearly anonymous/invisible "TCPIP MESSAGE" file in =>=>TCPMAINT's reader: =>=>---<snip>---- =>=>DTCUTI001E Serious problem encountered: 15:38:55 07/15/08 =>=>DTCUTI002E A denial-of-service attack has been detected =>=>---<snip>--- =>=> =>=>Issued after the nearly anonymous/invisible "TCPIP MESSAGE" =>file in =>=>TCPMAINT's reader was accidentally discovered: =>=>---<snip>--- =>=>netstat dos =>=>VM TCP/IP Netstat Level 510 =>=> =>=>Maximum Number of Half Open Connections: 512 =>=> =>=>Denial of service attacks: =>=> Attacks Elapsed =>=>Attack =>=>Attack IP Address Detected Time =>=>Duration =>=>-------- --------------------------------------- --------- --------- =>=>--------- =>=>Smurf-IC 10.64.103.250 1 2:27:08 =>=>0:00:00 =>=>Ready; T=0.02/0.02 18:13:13 =>=>---<snip>--- =>=> =>=>So I asked our Internet Security team who might be the offending =>=>"10.64.103.250". In turn they asked me for the port number being used =>for =>=>this attack, and the mac address of the attacking machine. =>Unfortunately, =>=>none of that is available after the attack (which was admirably and =>=>automatically quashed by the z/VM TCPIP stack). =>=> =>=>Would it be possible to include more information in the nearly =>=>anonymous/invisible "TCPIP MESSAGE" file in TCPMAINT's reader", =>=>including the port being used and the MAC address, and the other =>=>information displayed by the NETSTAT DOS command? If the attack is =>=>discovered after the next time the stack is restarted, NETSTAT DOS =>doesn't =>=>provide any information. Actually, I don't see any reason why all that =>=>information could not be logged to the TCPIP stack console itself - as =>a =>=>single point of reference should an investigation be required later. =>=> =>=>BTW, the current release of VM:Operator loops (or otherwise fails to =>ever =>=>respond) when the NETSTAT command is issued, so we can't even issue an =>=>automated NETSTAT DOS command, trap the response, and try to gather =>useful =>=>information during the attack. =>=> =>=>Mike Walter =>=>Hewitt Associates =>=>Any opinions expressed herein are mine alone and do not necessarily =>=>represent the opinions or policies of Hewitt Associates. =>=> =>=> =>=> =>=> =>=>The information contained in this e-mail and any accompanying =>documents =>=>may contain information that is confidential or otherwise protected =>from =>=>disclosure. If you are not the intended recipient of this message, or =>if =>=>this message has been addressed to you in error, please immediately =>alert =>=>the sender by reply e-mail and then delete this message, including any =>=>attachments. Any dissemination, distribution or other use of the =>contents =>=>of this message by anyone other than the intended recipient is =>strictly =>=>prohibited. All messages sent to and from this e-mail address may be =>=>monitored as permitted by applicable law and regulations to ensure =>=>compliance with our internal policies and to protect our business. =>E-mails =>=>are not secure and cannot be guaranteed to be error free as they can =>be =>=>intercepted, amended, lost or destroyed, or contain viruses. You are =>=>deemed to have accepted these risks if you communicate with us by =>e-mail. => => => => => => => =>The information contained in this e-mail and any accompanying documents =>may contain information that is confidential or otherwise protected from =>disclosure. If you are not the intended recipient of this message, or if =>this message has been addressed to you in error, please immediately alert =>the sender by reply e-mail and then delete this message, including any =>attachments. Any dissemination, distribution or other use of the contents =>of this message by anyone other than the intended recipient is strictly =>prohibited. All messages sent to and from this e-mail address may be =>monitored as permitted by applicable law and regulations to ensure =>compliance with our internal policies and to protect our business. E-mails =>are not secure and cannot be guaranteed to be error free as they can be =>intercepted, amended, lost or destroyed, or contain viruses. You are =>deemed to have accepted these risks if you communicate with us by e-mail.
