We had this DOS attack and tracked it back to a MAC computer on the network. It was doing some sort of broadcast network thing. I can supply the details if it's important to anyone. Not being a network wizard, I tend to forget the details.
____________________________ Jim Hughes 603-271-5586 "Its kind of fun to do the impossible." (Walt Disney) =>-----Original Message----- =>From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On =>Behalf Of Mike Walter =>Sent: Thursday, July 31, 2008 9:28 AM =>To: IBMVM@LISTSERV.UARK.EDU =>Subject: DOS attack details in => =>Back on July 15, we experienced our first known Denial of Service "attack" =>(more likely a problem server). =>I reported it to our Internet Security group including: => =>From the nearly anonymous/invisible "TCPIP MESSAGE" file in =>TCPMAINT's reader: =>---<snip>---- =>DTCUTI001E Serious problem encountered: 15:38:55 07/15/08 =>DTCUTI002E A denial-of-service attack has been detected =>---<snip>--- => =>Issued after the nearly anonymous/invisible "TCPIP MESSAGE" file in =>TCPMAINT's reader was accidentally discovered: =>---<snip>--- =>netstat dos =>VM TCP/IP Netstat Level 510 => =>Maximum Number of Half Open Connections: 512 => =>Denial of service attacks: => Attacks Elapsed =>Attack =>Attack IP Address Detected Time =>Duration =>-------- --------------------------------------- --------- --------- =>--------- =>Smurf-IC 10.64.103.250 1 2:27:08 =>0:00:00 =>Ready; T=0.02/0.02 18:13:13 =>---<snip>--- => =>So I asked our Internet Security team who might be the offending =>"10.64.103.250". In turn they asked me for the port number being used for =>this attack, and the mac address of the attacking machine. Unfortunately, =>none of that is available after the attack (which was admirably and =>automatically quashed by the z/VM TCPIP stack). => =>Would it be possible to include more information in the nearly =>anonymous/invisible "TCPIP MESSAGE" file in TCPMAINT's reader", =>including the port being used and the MAC address, and the other =>information displayed by the NETSTAT DOS command? If the attack is =>discovered after the next time the stack is restarted, NETSTAT DOS doesn't =>provide any information. Actually, I don't see any reason why all that =>information could not be logged to the TCPIP stack console itself - as a =>single point of reference should an investigation be required later. => =>BTW, the current release of VM:Operator loops (or otherwise fails to ever =>respond) when the NETSTAT command is issued, so we can't even issue an =>automated NETSTAT DOS command, trap the response, and try to gather useful =>information during the attack. => =>Mike Walter =>Hewitt Associates =>Any opinions expressed herein are mine alone and do not necessarily =>represent the opinions or policies of Hewitt Associates. => => => => =>The information contained in this e-mail and any accompanying documents =>may contain information that is confidential or otherwise protected from =>disclosure. If you are not the intended recipient of this message, or if =>this message has been addressed to you in error, please immediately alert =>the sender by reply e-mail and then delete this message, including any =>attachments. Any dissemination, distribution or other use of the contents =>of this message by anyone other than the intended recipient is strictly =>prohibited. All messages sent to and from this e-mail address may be =>monitored as permitted by applicable law and regulations to ensure =>compliance with our internal policies and to protect our business. E-mails =>are not secure and cannot be guaranteed to be error free as they can be =>intercepted, amended, lost or destroyed, or contain viruses. You are =>deemed to have accepted these risks if you communicate with us by e-mail.
