Thanks. I am looking into all of that now. On Mon, Aug 2, 2010 at 9:44 AM, Glenn Kelley <gl...@hostmedic.com> wrote:
> Jeremie > > there are a few ways to investigate a suspect DOS attack. > First and foremost you want to take a peek at your incoming connections. > > Do you see a large influx of incoming traffic? > If so - are you able to identify where it is coming from? > > Chances are if you know where it is coming from you can simply ask your > provider to null route the traffic ahead of you. > > > Commands like netstat -na can be a great friend in these cases if you > have the ability to place something in between the connections. > > I personally love PFSense for this reason. PFSense can operate as a > transparent firewall (and many other things... ) But for Free - it is an > excellent tool - loads on virtually any x86 system with 2 NIC cards. > > Anyhow - Folks that do Dos or DDos (Distributed Denial of Service) > generally attack port 80 as well as mail ports. > Many WISPs will keep port 80 open to the general public so they can reach > the radio's configuration windows. > > While it is not something I would suggest - for a variety of reasons - > chances are the port 80 of a customers radio is what is getting wacked. > > Generally dDos come in as udp packets to other ports - simply because of > how UDP works - it does not cause them as much of an issue as it would you. > > > So - a few commands might help here. > > netstat -lpn | grep :80 | awk '{print $5}'|cut -d: -f 1|sort|uniq -c|sort > -nk 1 > > > you can change the 80 above to any port you wish such as 25 for smtp, 53 > for dns/named , etc etc etc... > > This should show you the # of connections from a specific IP. > If you have a small # of connections from very large numbers of IP > addresses - then chances are you might be under DDOS. > > If there are a very large # of connections from just a few ip's than it > should be simple enough to ask the ISP to block or null route those IP > addresses. > > One last note - > > You might want to check the IP's against nslookup or use the > DNSStuff.comtoolset. > I have helped a few through these over the years and when they block the > DNS servers many folks use like 208.67.222.222 or 8.8.8.8 it really stinks > for folks... for sure. > > So you want to make sure you are blocking the right thing of course. > > Are you running anything like NTOP ? There are a few simple things to have > in place to watch incoming traffic when needed vs hoping that it goes > away... > > Kick back to me if your lost - and we can go off list for some help > > Glenn > > > > On Aug 2, 2010, at 9:56 AM, Jeremie Chism wrote: > > I noticed on Friday that everything I had seemed very slow. I went through > checking the usual things and found no problem. After digging into > everything I could put my hands on, I resorted to calling my upstream to see > if they noticed any problems. They of course said no. At 430 that > afternoon I got a call from one of their "engineers" stating that they had > experienced a DOS attack that was affecting certain customers. They made > some changes and it actually seemed to work better than before. Even my > latency times had dropped. Today the problem seems to be creeping back to > the same way it was Friday. My question is, is there a way to determine in > the future that this is happening. Is there something specific that would > lead me to the conclusion that in fact that is what is going on. > > -- > Jeremie Chism > TritonDataLink > > > > -------------------------------------------------------------------------------- > WISPA Wants You! Join today! > http://signup.wispa.org/ > > -------------------------------------------------------------------------------- > > WISPA Wireless List: wireless@wispa.org > > Subscribe/Unsubscribe: > http://lists.wispa.org/mailman/listinfo/wireless > > Archives: http://lists.wispa.org/pipermail/wireless/ > > > > _____________________________________________________________________________________ > *Glenn Kelley | Principle | HostMedic |www.HostMedic.com * > Email: gl...@hostmedic.com > Pplease don't print this e-mail unless you really need to. > > > > > > -------------------------------------------------------------------------------- > WISPA Wants You! Join today! > http://signup.wispa.org/ > > -------------------------------------------------------------------------------- > > WISPA Wireless List: wireless@wispa.org > > Subscribe/Unsubscribe: > http://lists.wispa.org/mailman/listinfo/wireless > > Archives: http://lists.wispa.org/pipermail/wireless/ > -- Jeremie Chism TritonDataLink
-------------------------------------------------------------------------------- WISPA Wants You! Join today! http://signup.wispa.org/ -------------------------------------------------------------------------------- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/