Sorry for the length but this is a real problem to me! I've spent a lot of time reading this forum but only recently, due to budget cuts, been forced into a security position. And now I'm having a BIG problem! One of my networks (NOT Knightworld.net!) has a file server that is occasionally locking up, and it takes most of the network with it. The whole network is slow until we reboot this machine. Sounds like a DoS attack, but here's where my knowledge ends. I finally got a Netmon capture of this incident. The File Server is being flooded with packets from the MS ISA server. The pattern of these packets is very distinct, 1 frame from <Fileserver> to <ISA>, which has 40 length (20 header, 20 payload), followed by 2 or 3 frames from <ISA> to <Fileserver>. Each of these frames is exactly 1500. Considering there were over 100,000 of these frames in the space of 30 seconds, that's very odd! On examining the payload of these frames, I can't discern anything in the small frames. But the large frames (1500 length) have a very weird payload, some of which I've copied at the bottom of this email. The payload of these packets is HTTP header data. The source IP is something in the 147.100.x.x range (this site switched from 147.100.x.x to a 10.x scheme in July 2002). The date & timestamp are the strangest - 6/21/2002! This capture was taken Monday 9/16/2002. So I have to now believe that someone captured legitimate packets in June, and is now crafting packets and using them to DoS <fileserver>.
My questions: What should I be looking for here? What tool is likely being used to do this, and how can I find it's source? My site is a technical college, students store files on <fileserver> but I don't know what to look for there. Any help is GREATLY appreciated. Please email me directly at [EMAIL PROTECTED] if you would like to see additional packet captures or receive more info. 000001E0 73 09 43 61 63 68 65 09 30 0D 0A 31 34 37 2E 31 s.Cache.0..147.1 000001F0 30 30 2E 32 2E 32 36 09 53 41 43 4E 45 54 5C 4A 00.2.26.SACNET\J 00000200 65 6E 6E 69 66 65 72 2E 42 72 65 77 73 74 65 72 ennifer.Brewster 00000210 09 4D 6F 7A 69 6C 6C 61 2F 34 2E 30 20 28 63 6F .Mozilla/4.0.(co 00000220 6D 70 61 74 69 62 6C 65 3B 20 4D 53 49 45 20 36 mpatible;.MSIE.6 00000230 2E 30 3B 20 57 69 6E 64 6F 77 73 20 4E 54 20 35 .0;.Windows.NT.5 00000240 2E 30 29 09 32 30 30 32 2D 30 36 2D 32 31 09 31 .0).2002-06-21.1 00000250 39 3A 33 38 3A 33 38 09 53 41 43 49 53 41 09 2D 9:38:38.SACISA.- 00000260 09 70 61 67 65 73 2E 65 62 61 79 2E 63 6F 6D 09 .pages.ebay.com.
