Dunno, I'm not an IP (or networking) Wizard, either. Not sure what else might be able to be gathered, but at least TCPIP knows what port was being attacked. Great minds will think of more. Perhaps information for that IP address obtained from NETSTAT CONN? Wizards will think of more.
Anything else it could provide could be useful in tracking down the offending attacker, and preparing them for a public hanging. ;-) Mike Walter Hewitt Associates Any opinions expressed herein are mine alone and do not necessarily represent the opinions or policies of Hewitt Associates. "Hughes, Jim" <[EMAIL PROTECTED]> Sent by: "The IBM z/VM Operating System" <IBMVM@LISTSERV.UARK.EDU> 07/31/2008 09:31 AM Please respond to "The IBM z/VM Operating System" <IBMVM@LISTSERV.UARK.EDU> To IBMVM@LISTSERV.UARK.EDU cc Subject Re: DOS attack details in I used the IP address to track down the offending MAC system. What other information would be available? Just curious. ____________________________ Jim Hughes 603-271-5586 "Its kind of fun to do the impossible." (Walt Disney) =>-----Original Message----- =>From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] On =>Behalf Of Mike Walter =>Sent: Thursday, July 31, 2008 10:25 AM =>To: IBMVM@LISTSERV.UARK.EDU =>Subject: Re: DOS attack details in => =>Thanks, Jim, => =>The source of this one-time attack is less important than getting clear =>documentation about _who/what_ is doing the attack _when_ it happens. =>I have no problem writing automation to gather the details no matter how =>many hoops I have to jump through - until I have to jump through what I =>then deem as "too many", at which point I'll whine about needing to =>improve the diagnostic process flow! :-)~ => =>But getting the details when they are available (we have the luxury of =>IPLing each Sunday night - and DO), and getting them to the "right people" =>nearer to the attack time: now IMHO, that's a worthy goal. => =>Mike Walter =>Hewitt Associates =>Any opinions expressed herein are mine alone and do not necessarily =>represent the opinions or policies of Hewitt Associates. => => => =>"Hughes, Jim" <[EMAIL PROTECTED]> => =>Sent by: "The IBM z/VM Operating System" <IBMVM@LISTSERV.UARK.EDU> =>07/31/2008 09:05 AM =>Please respond to =>"The IBM z/VM Operating System" <IBMVM@LISTSERV.UARK.EDU> => => => =>To =>IBMVM@LISTSERV.UARK.EDU =>cc => =>Subject =>Re: DOS attack details in => => => => => => =>We had this DOS attack and tracked it back to a MAC computer on the =>network. It was doing some sort of broadcast network thing. I can supply =>the details if it's important to anyone. Not being a network wizard, I =>tend to forget the details. => =>____________________________ =>Jim Hughes =>603-271-5586 =>"Its kind of fun to do the impossible." (Walt Disney) => =>=>-----Original Message----- =>=>From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] =>On =>=>Behalf Of Mike Walter =>=>Sent: Thursday, July 31, 2008 9:28 AM =>=>To: IBMVM@LISTSERV.UARK.EDU =>=>Subject: DOS attack details in =>=> =>=>Back on July 15, we experienced our first known Denial of Service =>"attack" =>=>(more likely a problem server). =>=>I reported it to our Internet Security group including: =>=> =>=>From the nearly anonymous/invisible "TCPIP MESSAGE" file in =>=>TCPMAINT's reader: =>=>---<snip>---- =>=>DTCUTI001E Serious problem encountered: 15:38:55 07/15/08 =>=>DTCUTI002E A denial-of-service attack has been detected =>=>---<snip>--- =>=> =>=>Issued after the nearly anonymous/invisible "TCPIP MESSAGE" =>file in =>=>TCPMAINT's reader was accidentally discovered: =>=>---<snip>--- =>=>netstat dos =>=>VM TCP/IP Netstat Level 510 =>=> =>=>Maximum Number of Half Open Connections: 512 =>=> =>=>Denial of service attacks: =>=> Attacks Elapsed =>=>Attack =>=>Attack IP Address Detected Time =>=>Duration =>=>-------- --------------------------------------- --------- --------- =>=>--------- =>=>Smurf-IC 10.64.103.250 1 2:27:08 =>=>0:00:00 =>=>Ready; T=0.02/0.02 18:13:13 =>=>---<snip>--- =>=> =>=>So I asked our Internet Security team who might be the offending =>=>"10.64.103.250". In turn they asked me for the port number being used =>for =>=>this attack, and the mac address of the attacking machine. =>Unfortunately, =>=>none of that is available after the attack (which was admirably and =>=>automatically quashed by the z/VM TCPIP stack). =>=> =>=>Would it be possible to include more information in the nearly =>=>anonymous/invisible "TCPIP MESSAGE" file in TCPMAINT's reader", =>=>including the port being used and the MAC address, and the other =>=>information displayed by the NETSTAT DOS command? If the attack is =>=>discovered after the next time the stack is restarted, NETSTAT DOS =>doesn't =>=>provide any information. Actually, I don't see any reason why all that =>=>information could not be logged to the TCPIP stack console itself - as =>a =>=>single point of reference should an investigation be required later. =>=> =>=>BTW, the current release of VM:Operator loops (or otherwise fails to =>ever =>=>respond) when the NETSTAT command is issued, so we can't even issue an =>=>automated NETSTAT DOS command, trap the response, and try to gather =>useful =>=>information during the attack. =>=> =>=>Mike Walter =>=>Hewitt Associates =>=>Any opinions expressed herein are mine alone and do not necessarily =>=>represent the opinions or policies of Hewitt Associates. =>=> =>=> =>=> =>=> =>=>The information contained in this e-mail and any accompanying =>documents =>=>may contain information that is confidential or otherwise protected =>from =>=>disclosure. If you are not the intended recipient of this message, or =>if =>=>this message has been addressed to you in error, please immediately =>alert =>=>the sender by reply e-mail and then delete this message, including any =>=>attachments. Any dissemination, distribution or other use of the =>contents =>=>of this message by anyone other than the intended recipient is =>strictly =>=>prohibited. All messages sent to and from this e-mail address may be =>=>monitored as permitted by applicable law and regulations to ensure =>=>compliance with our internal policies and to protect our business. =>E-mails =>=>are not secure and cannot be guaranteed to be error free as they can =>be =>=>intercepted, amended, lost or destroyed, or contain viruses. You are =>=>deemed to have accepted these risks if you communicate with us by =>e-mail. => => => => => => => =>The information contained in this e-mail and any accompanying documents =>may contain information that is confidential or otherwise protected from =>disclosure. If you are not the intended recipient of this message, or if =>this message has been addressed to you in error, please immediately alert =>the sender by reply e-mail and then delete this message, including any =>attachments. Any dissemination, distribution or other use of the contents =>of this message by anyone other than the intended recipient is strictly =>prohibited. All messages sent to and from this e-mail address may be =>monitored as permitted by applicable law and regulations to ensure =>compliance with our internal policies and to protect our business. E-mails =>are not secure and cannot be guaranteed to be error free as they can be =>intercepted, amended, lost or destroyed, or contain viruses. You are =>deemed to have accepted these risks if you communicate with us by e-mail. The information contained in this e-mail and any accompanying documents may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message, including any attachments. Any dissemination, distribution or other use of the contents of this message by anyone other than the intended recipient is strictly prohibited. All messages sent to and from this e-mail address may be monitored as permitted by applicable law and regulations to ensure compliance with our internal policies and to protect our business. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, lost or destroyed, or contain viruses. You are deemed to have accepted these risks if you communicate with us by e-mail.
