Thanks, guys! Helpful information. I'll have to print it and put it in the TCPIP Msgs and Codes manual right by the message: DTCIPU086I A denial-of-service attack has been detected Your words of wisdom go well beyond that found in the Messages and Codes in the manual (but at least it's not a self-descriptive message).
"Welcome to the Unix world", indeed! :-( And Alan, by NOTIFY could you actually have meant INFORM? Perhaps you were just attempting to NOTIFY me to *look up* INFORM? ;-) The doc in the manual for INFORM is rather lackluster, stating: "Use the INFORM statement to define a list of users (called the INFORM list) who are to be sent messages in case of serious run-time conditions." It does not indicate what a "message" might be, but it turns out that it is not only a message, but also a NETDATA format file sent to their reader.. OPERATOR here cares little for reader files, while messages are useful. But does processing the "OBEYFILE" command qualify as a one of the "serious run-time conditions"? I ask that carefully, since processing the OBEYFILE command can rather seriously affect the run-time environment. But is it really an *error*?: FILE: TCPIP MESSAGE A1 Hewitt Associates PAGE 00001 DTCUTI002E OBEYFILE issued successfully by TCPMAINT. File INFORM TCPIP located on TCPMAINT 0191 dated 07/31/08 10:41 Mike Walter Hewitt Associates Any opinions expressed herein are mine alone and do not necessarily represent the opinions or policies of Hewitt Associates. "Miguel Delapaz" <[EMAIL PROTECTED]> Sent by: "The IBM z/VM Operating System" <IBMVM@LISTSERV.UARK.EDU> 07/31/2008 10:17 AM Please respond to "The IBM z/VM Operating System" <IBMVM@LISTSERV.UARK.EDU> To IBMVM@LISTSERV.UARK.EDU cc Subject Re: DOS attack details in Mike, Smurf attacks are malformed ICMP echo packets. They aren't directed to a particular port. You've got all the information there is :-) Regards, Miguel Delapaz z/VM TCP/IP Development The IBM z/VM Operating System <IBMVM@LISTSERV.UARK.EDU> wrote on 07/31/2008 07:40:23 AM: > [image removed] > > Re: DOS attack details in > > Mike Walter > > to: > > IBMVM > > 07/31/2008 07:42 AM > > Sent by: > > The IBM z/VM Operating System <IBMVM@LISTSERV.UARK.EDU> > > Please respond to The IBM z/VM Operating System > > Dunno, I'm not an IP (or networking) Wizard, either. > Not sure what else might be able to be gathered, but at least TCPIP knows > what port was being attacked. Great minds will think of more. > Perhaps information for that IP address obtained from NETSTAT CONN? > Wizards will think of more. > > Anything else it could provide could be useful in tracking down the > offending attacker, and preparing them for a public hanging. ;-) > > Mike Walter > Hewitt Associates > Any opinions expressed herein are mine alone and do not necessarily > represent the opinions or policies of Hewitt Associates. > > > > > "Hughes, Jim" <[EMAIL PROTECTED]> > > Sent by: "The IBM z/VM Operating System" <IBMVM@LISTSERV.UARK.EDU> > 07/31/2008 09:31 AM > Please respond to > "The IBM z/VM Operating System" <IBMVM@LISTSERV.UARK.EDU> > > > > To > IBMVM@LISTSERV.UARK.EDU > cc > > Subject > Re: DOS attack details in > > > > > > > I used the IP address to track down the offending MAC system. > > What other information would be available? Just curious. > > ____________________________ > Jim Hughes > 603-271-5586 > "Its kind of fun to do the impossible." (Walt Disney) > > > =>-----Original Message----- > =>From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] > On > =>Behalf Of Mike Walter > =>Sent: Thursday, July 31, 2008 10:25 AM > =>To: IBMVM@LISTSERV.UARK.EDU > =>Subject: Re: DOS attack details in > => > =>Thanks, Jim, > => > =>The source of this one-time attack is less important than getting > clear > =>documentation about _who/what_ is doing the attack _when_ it happens. > =>I have no problem writing automation to gather the details no matter > how > =>many hoops I have to jump through - until I have to jump through what > I > =>then deem as "too many", at which point I'll whine about needing to > =>improve the diagnostic process flow! :-)~ > => > =>But getting the details when they are available (we have the luxury of > =>IPLing each Sunday night - and DO), and getting them to the "right > people" > =>nearer to the attack time: now IMHO, that's a worthy goal. > => > =>Mike Walter > =>Hewitt Associates > =>Any opinions expressed herein are mine alone and do not necessarily > =>represent the opinions or policies of Hewitt Associates. > => > => > => > =>"Hughes, Jim" <[EMAIL PROTECTED]> > => > =>Sent by: "The IBM z/VM Operating System" <IBMVM@LISTSERV.UARK.EDU> > =>07/31/2008 09:05 AM > =>Please respond to > =>"The IBM z/VM Operating System" <IBMVM@LISTSERV.UARK.EDU> > => > => > => > =>To > =>IBMVM@LISTSERV.UARK.EDU > =>cc > => > =>Subject > =>Re: DOS attack details in > => > => > => > => > => > => > =>We had this DOS attack and tracked it back to a MAC computer on the > =>network. It was doing some sort of broadcast network thing. I can > supply > =>the details if it's important to anyone. Not being a network wizard, I > =>tend to forget the details. > => > =>____________________________ > =>Jim Hughes > =>603-271-5586 > =>"Its kind of fun to do the impossible." (Walt Disney) > => > =>=>-----Original Message----- > =>=>From: The IBM z/VM Operating System [mailto:[EMAIL PROTECTED] > =>On > =>=>Behalf Of Mike Walter > =>=>Sent: Thursday, July 31, 2008 9:28 AM > =>=>To: IBMVM@LISTSERV.UARK.EDU > =>=>Subject: DOS attack details in > =>=> > =>=>Back on July 15, we experienced our first known Denial of Service > =>"attack" > =>=>(more likely a problem server). > =>=>I reported it to our Internet Security group including: > =>=> > =>=>From the nearly anonymous/invisible "TCPIP MESSAGE" file in > =>=>TCPMAINT's reader: > =>=>---<snip>---- > =>=>DTCUTI001E Serious problem encountered: 15:38:55 07/15/08 > =>=>DTCUTI002E A denial-of-service attack has been detected > =>=>---<snip>--- > =>=> > =>=>Issued after the nearly anonymous/invisible "TCPIP MESSAGE" > =>file in > =>=>TCPMAINT's reader was accidentally discovered: > =>=>---<snip>--- > =>=>netstat dos > =>=>VM TCP/IP Netstat Level 510 > =>=> > =>=>Maximum Number of Half Open Connections: 512 > =>=> > =>=>Denial of service attacks: > =>=> Attacks Elapsed > =>=>Attack > =>=>Attack IP Address Detected Time > =>=>Duration > =>=>-------- --------------------------------------- --------- --------- > =>=>--------- > =>=>Smurf-IC 10.64.103.250 1 2:27:08 > =>=>0:00:00 > =>=>Ready; T=0.02/0.02 18:13:13 > =>=>---<snip>--- > =>=> > =>=>So I asked our Internet Security team who might be the offending > =>=>"10.64.103.250". In turn they asked me for the port number being > used > =>for > =>=>this attack, and the mac address of the attacking machine. > =>Unfortunately, > =>=>none of that is available after the attack (which was admirably and > =>=>automatically quashed by the z/VM TCPIP stack). > =>=> > =>=>Would it be possible to include more information in the nearly > =>=>anonymous/invisible "TCPIP MESSAGE" file in TCPMAINT's > reader", > =>=>including the port being used and the MAC address, and the other > =>=>information displayed by the NETSTAT DOS command? If the attack is > =>=>discovered after the next time the stack is restarted, NETSTAT DOS > =>doesn't > =>=>provide any information. Actually, I don't see any reason why all > that > =>=>information could not be logged to the TCPIP stack console itself - > as > =>a > =>=>single point of reference should an investigation be required later. > =>=> > =>=>BTW, the current release of VM:Operator loops (or otherwise fails to > =>ever > =>=>respond) when the NETSTAT command is issued, so we can't even issue > an > =>=>automated NETSTAT DOS command, trap the response, and try to gather > =>useful > =>=>information during the attack. > =>=> > =>=>Mike Walter > =>=>Hewitt Associates > =>=>Any opinions expressed herein are mine alone and do not necessarily > =>=>represent the opinions or policies of Hewitt Associates. > =>=> > =>=> > =>=> > =>=> > =>=>The information contained in this e-mail and any accompanying > =>documents > =>=>may contain information that is confidential or otherwise protected > =>from > =>=>disclosure. If you are not the intended recipient of this message, > or > =>if > =>=>this message has been addressed to you in error, please immediately > =>alert > =>=>the sender by reply e-mail and then delete this message, including > any > =>=>attachments. Any dissemination, distribution or other use of the > =>contents > =>=>of this message by anyone other than the intended recipient is > =>strictly > =>=>prohibited. All messages sent to and from this e-mail address may be > =>=>monitored as permitted by applicable law and regulations to ensure > =>=>compliance with our internal policies and to protect our business. > =>E-mails > =>=>are not secure and cannot be guaranteed to be error free as they can > =>be > =>=>intercepted, amended, lost or destroyed, or contain viruses. You are > =>=>deemed to have accepted these risks if you communicate with us by > =>e-mail. > => > => > => > => > => > => > => > =>The information contained in this e-mail and any accompanying > documents > =>may contain information that is confidential or otherwise protected > from > =>disclosure. If you are not the intended recipient of this message, or > if > =>this message has been addressed to you in error, please immediately > alert > =>the sender by reply e-mail and then delete this message, including any > =>attachments. Any dissemination, distribution or other use of the > contents > =>of this message by anyone other than the intended recipient is > strictly > =>prohibited. All messages sent to and from this e-mail address may be > =>monitored as permitted by applicable law and regulations to ensure > =>compliance with our internal policies and to protect our business. > E-mails > =>are not secure and cannot be guaranteed to be error free as they can > be > =>intercepted, amended, lost or destroyed, or contain viruses. You are > =>deemed to have accepted these risks if you communicate with us by > e-mail. > > > > > > > > The information contained in this e-mail and any accompanying > documents may contain information that is confidential or otherwise > protected from disclosure. If you are not the intended recipient of > this message, or if this message has been addressed to you in error, > please immediately alert the sender by reply e-mail and then delete > this message, including any attachments. Any dissemination, > distribution or other use of the contents of this message by anyone > other than the intended recipient is strictly prohibited. All > messages sent to and from this e-mail address may be monitored as > permitted by applicable law and regulations to ensure compliance > with our internal policies and to protect our business. E-mails are > not secure and cannot be guaranteed to be error free as they can be > intercepted, amended, lost or destroyed, or contain viruses. You are > deemed to have accepted these risks if you communicate with us by e-mail. The information contained in this e-mail and any accompanying documents may contain information that is confidential or otherwise protected from disclosure. If you are not the intended recipient of this message, or if this message has been addressed to you in error, please immediately alert the sender by reply e-mail and then delete this message, including any attachments. Any dissemination, distribution or other use of the contents of this message by anyone other than the intended recipient is strictly prohibited. All messages sent to and from this e-mail address may be monitored as permitted by applicable law and regulations to ensure compliance with our internal policies and to protect our business. E-mails are not secure and cannot be guaranteed to be error free as they can be intercepted, amended, lost or destroyed, or contain viruses. You are deemed to have accepted these risks if you communicate with us by e-mail.
