The following message is appearing within all TCPIP logs:
DTCIPU086I A denial-of-service attack has been detected
netstat dos
VM TCP/IP Netstat Level 510
Maximum Number of Half Open Connections: 256
Denial of service attacks:
Attacks Elapsed
Attack
Attack IP Address Detected Time
Duration
-------- --------------------------------------- --------- ---------
---------
Smurf-IC xxx.xxx.xxx.2 3 6:27:33
3:49:01
xxx.xxx.xxx.3 3 6:23:37
3:49:04
Ready; T=0.02/0.03 13:11:31
The first occurance of the DoS message first appears at 6:25 am every day.
The strange thing about these DoSs is:
Defaultnet is xxx.xxx.xxx.1
Usable IPs start at xxx.xxx.xxx.4
I have asked our network group what is occurring at 6:25 each day. I was
told it was not a true DoS because it was within the network for the
mainframe... That may be the case, but every day at 6:25 a DoS occurs and
repeats throughout the day.
I have scanned the TCPIP configuration options to see if there was something
that could trigger this. I didn't find anything. Did I miss something?
Could the TCPIP configuration trigger DoSs? If so, what do I need to look
for so that they do not occur?
Thank you.
Cecelia Dusha
