how to respond to possible attacks

2008-03-08 Thread Robin Becker
Sorry if this is too off topic, but I would like to find out what to do 
when you suspect a possible dos attack on your system. I know there are 
many experienced sysadmins here.
Although my system (freebsd 6.0/apache 2.0.x) did in fact hold up, what 
steps should I be taking? The originating ip doesn't seem to be reverse 
mappable.

--
Robin Becker
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: how to respond to possible attacks

2008-03-08 Thread Bill Campbell
On Sat, Mar 08, 2008, Robin Becker wrote:
Sorry if this is too off topic, but I would like to find out what to do 
when you suspect a possible dos attack on your system. I know there are 
many experienced sysadmins here.
Although my system (freebsd 6.0/apache 2.0.x) did in fact hold up, what 
steps should I be taking? The originating ip doesn't seem to be reverse 
mappable.

The first thing to do is ``whois ipaddress'' which probably will
identify the owner of the ip block.

One can also identify name servers by reversing the octets in the
IP address, then querying for the name server(s) responsible for
the reverse dns.  This if the IP address is 1.2.3.4, one would
try the following searches until one returns something useful.

dig 4.3.2.in-addr.arpa. ns
dig 3.2.in-addr.arpa. ns
dig 2.in-addr.arpa. ns

The next step would be to attempt to contact the owners of the
name servers.

Bill
--
INTERNET:   [EMAIL PROTECTED]  Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/  PO Box 820; 6641 E. Mercer Way
FAX:(206) 232-9186  Mercer Island, WA 98040-0820; (206) 236-1676

We'll show the world we are prosperous, even if we have to go broke to do
it. -- Will Rogers
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: how to respond to possible attacks

2008-03-08 Thread Mel
On Saturday 08 March 2008 23:34:56 Robin Becker wrote:

 The originating ip doesn't seem to be reverse
 mappable.

sure it is: whois(1) is your friend.

-- 
Mel

Problem with today's modular software: they start with the modules
and never get to the software part.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]


Re: how to respond to possible attacks

2008-03-08 Thread Siraj Shaikh
On 08/03/2008, Robin Becker [EMAIL PROTECTED] wrote:
 Sorry if this is too off topic, but I would like to find out what to do
 when you suspect a possible dos attack on your system. I know there are
 many experienced sysadmins here.
 Although my system (freebsd 6.0/apache 2.0.x) did in fact hold up, what
 steps should I be taking? The originating ip doesn't seem to be reverse
 mappable.
 --

Robin

Are you only interested in finding out about the source of these
attacks, have you got some firewall configured? Is there any
particular service being targeted, what kind of packets are coming
through?

Also, making sure if the same ip is targetting any other hosts on your
network, or any previous attempts at probing this machine or other
hosts.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]