We had a DOS attack a couple of years ago and duly reported it to our Info Sec group. We got no response. When it happened again one month later, we tracked it down to a server owned by Info. Sec. We blocked its IP address and have had no problem since. It seems that those folks have an automated monthly probe of every IP address on our intranet.
Regards, Richard Schuh > -----Original Message----- > From: The IBM z/VM Operating System > [mailto:[EMAIL PROTECTED] On Behalf Of Mike Walter > Sent: Thursday, July 31, 2008 6:28 AM > To: IBMVM@LISTSERV.UARK.EDU > Subject: DOS attack details in > > Back on July 15, we experienced our first known Denial of > Service "attack" > (more likely a problem server). > I reported it to our Internet Security group including: > > From the nearly anonymous/invisible "TCPIP MESSAGE" file in > TCPMAINT's reader: > ---<snip>---- > DTCUTI001E Serious problem encountered: 15:38:55 07/15/08 > DTCUTI002E A denial-of-service attack has been detected > ---<snip>--- > > Issued after the nearly anonymous/invisible "TCPIP > MESSAGE" file in > TCPMAINT's reader was accidentally discovered: > ---<snip>--- > netstat dos > VM TCP/IP Netstat Level 510 > > Maximum Number of Half Open Connections: 512 > > Denial of service attacks: > Attacks Elapsed > Attack > Attack IP Address Detected Time > Duration > -------- --------------------------------------- --------- --------- > --------- > Smurf-IC 10.64.103.250 1 2:27:08 > 0:00:00 > Ready; T=0.02/0.02 18:13:13 > ---<snip>--- > > So I asked our Internet Security team who might be the > offending "10.64.103.250". In turn they asked me for the > port number being used for this attack, and the mac address > of the attacking machine. Unfortunately, none of that is > available after the attack (which was admirably and > automatically quashed by the z/VM TCPIP stack). > > Would it be possible to include more information in the nearly > anonymous/invisible "TCPIP MESSAGE" file in TCPMAINT's > reader", > including the port being used and the MAC address, and the > other information displayed by the NETSTAT DOS command? If > the attack is discovered after the next time the stack is > restarted, NETSTAT DOS doesn't provide any information. > Actually, I don't see any reason why all that information > could not be logged to the TCPIP stack console itself - as a > single point of reference should an investigation be required later. > > BTW, the current release of VM:Operator loops (or otherwise > fails to ever > respond) when the NETSTAT command is issued, so we can't even > issue an automated NETSTAT DOS command, trap the response, > and try to gather useful information during the attack. > > Mike Walter > Hewitt Associates > Any opinions expressed herein are mine alone and do not > necessarily represent the opinions or policies of Hewitt Associates. > > > > > The information contained in this e-mail and any accompanying > documents may contain information that is confidential or > otherwise protected from disclosure. If you are not the > intended recipient of this message, or if this message has > been addressed to you in error, please immediately alert the > sender by reply e-mail and then delete this message, > including any attachments. Any dissemination, distribution or > other use of the contents of this message by anyone other > than the intended recipient is strictly prohibited. All > messages sent to and from this e-mail address may be > monitored as permitted by applicable law and regulations to > ensure compliance with our internal policies and to protect > our business. E-mails are not secure and cannot be guaranteed > to be error free as they can be intercepted, amended, lost or > destroyed, or contain viruses. You are deemed to have > accepted these risks if you communicate with us by e-mail. >
