Back on July 15, we experienced our first known Denial of Service "attack"
(more likely a problem server).
I reported it to our Internet Security group including:
>From the nearly anonymous/invisible "TCPIP MESSAGE" file in
TCPMAINT's reader:
---<snip>----
DTCUTI001E Serious problem encountered: 15:38:55 07/15/08
DTCUTI002E A denial-of-service attack has been detected
---<snip>---
Issued after the nearly anonymous/invisible "TCPIP MESSAGE" file in
TCPMAINT's reader was accidentally discovered:
---<snip>---
netstat dos
VM TCP/IP Netstat Level 510
Maximum Number of Half Open Connections: 512
Denial of service attacks:
Attacks Elapsed
Attack
Attack IP Address Detected Time
Duration
-------- --------------------------------------- --------- ---------
---------
Smurf-IC 10.64.103.250 1 2:27:08
0:00:00
Ready; T=0.02/0.02 18:13:13
---<snip>---
So I asked our Internet Security team who might be the offending
"10.64.103.250". In turn they asked me for the port number being used for
this attack, and the mac address of the attacking machine. Unfortunately,
none of that is available after the attack (which was admirably and
automatically quashed by the z/VM TCPIP stack).
Would it be possible to include more information in the nearly
anonymous/invisible "TCPIP MESSAGE" file in TCPMAINT's reader",
including the port being used and the MAC address, and the other
information displayed by the NETSTAT DOS command? If the attack is
discovered after the next time the stack is restarted, NETSTAT DOS doesn't
provide any information. Actually, I don't see any reason why all that
information could not be logged to the TCPIP stack console itself - as a
single point of reference should an investigation be required later.
BTW, the current release of VM:Operator loops (or otherwise fails to ever
respond) when the NETSTAT command is issued, so we can't even issue an
automated NETSTAT DOS command, trap the response, and try to gather useful
information during the attack.
Mike Walter
Hewitt Associates
Any opinions expressed herein are mine alone and do not necessarily
represent the opinions or policies of Hewitt Associates.
The information contained in this e-mail and any accompanying documents may
contain information that is confidential or otherwise protected from
disclosure. If you are not the intended recipient of this message, or if this
message has been addressed to you in error, please immediately alert the sender
by reply e-mail and then delete this message, including any attachments. Any
dissemination, distribution or other use of the contents of this message by
anyone other than the intended recipient is strictly prohibited. All messages
sent to and from this e-mail address may be monitored as permitted by
applicable law and regulations to ensure compliance with our internal policies
and to protect our business. E-mails are not secure and cannot be guaranteed to
be error free as they can be intercepted, amended, lost or destroyed, or
contain viruses. You are deemed to have accepted these risks if you communicate
with us by e-mail.
