Re: [WISPA] DOS attack

Jeremie Chism Mon, 02 Aug 2010 08:13:38 -0700

Thanks.  I am looking into all of that now.

On Mon, Aug 2, 2010 at 9:44 AM, Glenn Kelley <gl...@hostmedic.com> wrote:


> Jeremie
>
> there are a few ways to investigate a suspect DOS attack.
> First and foremost you want to take a peek at your incoming connections.
>
> Do you see a large influx of incoming traffic?
> If so - are you able to identify where it is coming from?
>
> Chances are if you know where it is coming from you can simply ask your
> provider to null route the traffic ahead of you.
>
>
> Commands like netstat -na  can be a great friend in these cases if you
> have the ability to place something in between the connections.
>
> I personally love PFSense for this reason.   PFSense can operate as a
> transparent firewall (and many other things... )   But for Free - it is an
> excellent tool -  loads on virtually any x86 system with 2 NIC cards.
>
> Anyhow - Folks that do Dos  or DDos (Distributed Denial of Service)
> generally attack port 80 as well as mail ports.
> Many WISPs will keep port 80 open to the general public so they can reach
> the radio's configuration windows.
>
> While it is not something I would suggest - for a variety of reasons -
> chances are the port 80 of a customers radio is what is getting wacked.
>
> Generally dDos come in as udp packets to other ports - simply because of
> how UDP works - it does not cause them as much of an issue as it would you.
>
>
> So - a few commands might help here.
>
> netstat -lpn | grep :80 | awk '{print $5}'|cut -d: -f 1|sort|uniq -c|sort
> -nk 1
>
>
> you can change the 80 above to any port you wish such as 25 for smtp, 53
> for dns/named , etc etc etc...
>
> This should show you the # of connections from a specific IP.
> If you have a small # of connections from very large numbers of IP
> addresses - then chances are you might be under DDOS.
>
> If there are a very large # of connections from just a few ip's than it
> should be simple enough to ask the ISP to block or null route those IP
> addresses.
>
> One last note -
>
> You might want to check the IP's against nslookup or use the 
> DNSStuff.comtoolset.
> I have helped a few through these over the years and when they block the
> DNS servers many folks use like 208.67.222.222 or 8.8.8.8 it really stinks
> for folks... for sure.
>
> So you want to make sure you are blocking the right thing of course.
>
> Are you running anything like NTOP ?  There are a few simple things to have
> in place to watch incoming traffic when needed vs hoping that it goes
> away...
>
> Kick back to me if your lost - and we can go off list for some help
>
> Glenn
>
>
>
> On Aug 2, 2010, at 9:56 AM, Jeremie Chism wrote:
>
> I noticed on Friday that everything I had seemed very slow. I went through
> checking the usual things and found no problem.  After digging into
> everything I could put my hands on, I resorted to calling my upstream to see
> if they noticed any problems.  They of course said no.  At 430 that
> afternoon I got a call from one of their "engineers" stating that they had
> experienced a DOS attack that was affecting certain customers.  They made
> some changes and it actually seemed to work better than before.  Even my
> latency times had dropped.  Today the problem seems to be creeping back to
> the same way it was Friday.  My question is, is there a way to determine in
> the future that this is happening.  Is there something specific that would
> lead me to the conclusion that in fact that is what is going on.
>
> --
> Jeremie Chism
> TritonDataLink
>
>
>
> --------------------------------------------------------------------------------
> WISPA Wants You! Join today!
> http://signup.wispa.org/
>
> --------------------------------------------------------------------------------
>
> WISPA Wireless List: wireless@wispa.org
>
> Subscribe/Unsubscribe:
> http://lists.wispa.org/mailman/listinfo/wireless
>
> Archives: http://lists.wispa.org/pipermail/wireless/
>
>
>
> _____________________________________________________________________________________
> *Glenn Kelley | Principle | HostMedic |www.HostMedic.com *
>   Email: gl...@hostmedic.com
> Pplease don't print this e-mail unless you really need to.
>
>
>
>
>
> --------------------------------------------------------------------------------
> WISPA Wants You! Join today!
> http://signup.wispa.org/
>
> --------------------------------------------------------------------------------
>
> WISPA Wireless List: wireless@wispa.org
>
> Subscribe/Unsubscribe:
> http://lists.wispa.org/mailman/listinfo/wireless
>
> Archives: http://lists.wispa.org/pipermail/wireless/
>



-- 
Jeremie Chism
TritonDataLink


--------------------------------------------------------------------------------
WISPA Wants You! Join today!
http://signup.wispa.org/
--------------------------------------------------------------------------------
 
WISPA Wireless List: wireless@wispa.org

Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless

Archives: http://lists.wispa.org/pipermail/wireless/

Re: [WISPA] DOS attack

Reply via email to