Re: how to respond to possible attacks
On 08/03/2008, Robin Becker <[EMAIL PROTECTED]> wrote: > Sorry if this is too off topic, but I would like to find out what to do > when you suspect a possible dos attack on your system. I know there are > many experienced sysadmins here. > Although my system (freebsd 6.0/apache 2.0.x) did in fact hold up, what > steps should I be taking? The originating ip doesn't seem to be reverse > mappable. > -- Robin Are you only interested in finding out about the source of these attacks, have you got some firewall configured? Is there any particular service being targeted, what kind of packets are coming through? Also, making sure if the same ip is targetting any other hosts on your network, or any previous attempts at probing this machine or other hosts. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: how to respond to possible attacks
On Saturday 08 March 2008 23:34:56 Robin Becker wrote: > The originating ip doesn't seem to be reverse > mappable. sure it is: whois(1) is your friend. -- Mel Problem with today's modular software: they start with the modules and never get to the software part. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: how to respond to possible attacks
On Sat, Mar 08, 2008, Robin Becker wrote: >Sorry if this is too off topic, but I would like to find out what to do >when you suspect a possible dos attack on your system. I know there are >many experienced sysadmins here. >Although my system (freebsd 6.0/apache 2.0.x) did in fact hold up, what >steps should I be taking? The originating ip doesn't seem to be reverse >mappable. The first thing to do is ``whois ipaddress'' which probably will identify the owner of the ip block. One can also identify name servers by reversing the octets in the IP address, then querying for the name server(s) responsible for the reverse dns. This if the IP address is 1.2.3.4, one would try the following searches until one returns something useful. dig 4.3.2.in-addr.arpa. ns dig 3.2.in-addr.arpa. ns dig 2.in-addr.arpa. ns The next step would be to attempt to contact the owners of the name servers. Bill -- INTERNET: [EMAIL PROTECTED] Bill Campbell; Celestial Software LLC URL: http://www.celestial.com/ PO Box 820; 6641 E. Mercer Way FAX:(206) 232-9186 Mercer Island, WA 98040-0820; (206) 236-1676 We'll show the world we are prosperous, even if we have to go broke to do it. -- Will Rogers ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
how to respond to possible attacks
Sorry if this is too off topic, but I would like to find out what to do when you suspect a possible dos attack on your system. I know there are many experienced sysadmins here. Although my system (freebsd 6.0/apache 2.0.x) did in fact hold up, what steps should I be taking? The originating ip doesn't seem to be reverse mappable. -- Robin Becker ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"