Hi, The problem you are facing does look like some kind of DOS. In addition to checking for the normal well know DOS attacks, I would recomend you to check all your internal hosts for Codered or Nimda infection. In the event of any such Infection, the volume of outgoing probes on http port 80 could possibly lead to oveloads on your Internet links or probably on your gateway device or LAN device. I hope this suggestion helps. I know of at least 2-3 small networks which got swamped due tp http probes from internal affected systems - in 1 case it was a laptop which had got infected via dial-up connection ad spread the infection to other internal hosts.
Regards, Salil. ----- Original Message ----- From: Alan Spicer <[EMAIL PROTECTED]> To: Tom Le <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Saturday, October 20, 2001 12:19 AM Subject: RE: recover from possible DOS attack! > What kind of router? ...and what kind of net connection do you > have? There is a lot that you can do, but more information is > needed to help you. (How are you sending email now?) > > If it is a Cisco router you can check and see what's going on > right there on the router. If the router can reach out then > you problem might be internal LAN problem. You can also ping > between your internal lan hosts to see if they can reach each > other. If not you need to do a divide-and-conquer on the internal > LAN hub(s) and/or switch(es). > > Try: > ping <ip address> > (where "<ip address>" is an ip address you know that is good. > If DNS resolution works you can "ping www.yahoo.com" or such. > A good ip to ping is your ISP's end of your Internet connection. > In other words your ISP's router ip.) > > Check and see if your line protocol is up on the router. Try: > > show ip int br (to see what interfaces you have for ip) > > show int s0 (an example, assuming your interface to the > world was Serial 0 or "s0") > > That should output something like: > > Serial0 is up,line protocol is up (and a whole lot more stuff, > but the most important is the interface is UP or DOWN and the > line protocol is UP or DOWN. If it's down it may be time to > call your chief network guy or call your ISPs Network Operation > Center.) > > You can "bounce" and interface by taking it down manually and > then bringing it back up again... > > (Cisco - you need "enable" password) > ena > Password: ***** > Cisco# conf t > Cisco(Config)# int s0 > Cisco(Config-if)# shutdown > > (then count to 10 or 20) > > Cisco(Config-if)# no shutdown > Cisco(Config-if)# ^Z (control-z) > > (then try the show int s0 again...) > > P.S. If you suspect a DoS attack, you need to find out what > kind of DoS attack it is/was. One old typical one was the > Smurf ... which can be prevented by not allowing directed > broadcasts. I have lived through some Smurf attacks myself > on a small/mid sized network. If you have LAN switches such > as 3com or Cisco, you will see the activity lights on the > switches throb as you are inundated with directed broadcasts > which every one of your hosts responds to. > > I you don't have a firewall ... you should consider one. > Routers can also be configured with "access-list"s to act > as sort of a firewall. > > > > ------------------------------------------- > Alan G. Spicer - CCNA |Unix, Linux, & > ([EMAIL PROTECTED]) |Network Systems > http://aspicer.dns2go.com/ |Administration > ([EMAIL PROTECTED]) | > ------------------------------------------- > Visions of Fiber Optic Sugar Plums Dance in > your Head. > ------------------------------------------- > > > -----Original Message----- > From: Tom Le [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, October 17, 2001 1:13 PM > To: [EMAIL PROTECTED]; [EMAIL PROTECTED] > Subject: RE: recover from possible DOS attack! > > > Gavin, > > Try doing a traceroute to your router's IP address and see if you can > connect. You can use one of the traceroute servers on traceroute.org, or > one of my favorites is http://visualroute.visualware.co.uk/ which gives you > a visual view and more info on performance, any blocked traffic, etc. > > Tom > > > | -----Original Message----- > | From: Gavin [mailto:[EMAIL PROTECTED]] > | Sent: Wednesday, October 17, 2001 8:13 PM > | To: [EMAIL PROTECTED] > | Subject: recover from possible DOS attack! > | Importance: High > | > | > | Help! > | > | I work at a small company and for the last 4 days our small network (4 > | computers!!!) could not and still can not get online, I told my > | boss it might > | be a DOS (Denial of service) attack. all the files seem to be OK > | but I just > | cant get donline, Question, how do you recover from this type of > | attack?? > | > | The OS's are Windows ME and windows 2000 the other boxes are > | linux (Mandrake > | and RedHat) all connected via a router. My friend told me to > | just reset the > | router connection (internet connection) and all will be well, > | but I just want > | some expert advice before doing so. I hope to hear from someone soon. > | > | Sincerely > | > | Operator (Gavin) > | Fukushimaken, Fukushima City > | Japan > | > > >
