Jeremie
there are a few ways to investigate a suspect DOS attack.
First and foremost you want to take a peek at your incoming connections.
Do you see a large influx of incoming traffic?
If so - are you able to identify where it is coming from?
Chances are if you know where it is coming from you can simply ask your
provider to null route the traffic ahead of you.
Commands like netstat -na can be a great friend in these cases if you have the
ability to place something in between the connections.
I personally love PFSense for this reason. PFSense can operate as a
transparent firewall (and many other things... ) But for Free - it is an
excellent tool - loads on virtually any x86 system with 2 NIC cards.
Anyhow - Folks that do Dos or DDos (Distributed Denial of Service) generally
attack port 80 as well as mail ports.
Many WISPs will keep port 80 open to the general public so they can reach the
radio's configuration windows.
While it is not something I would suggest - for a variety of reasons - chances
are the port 80 of a customers radio is what is getting wacked.
Generally dDos come in as udp packets to other ports - simply because of how
UDP works - it does not cause them as much of an issue as it would you.
So - a few commands might help here.
netstat -lpn | grep :80 | awk '{print $5}'|cut -d: -f 1|sort|uniq -c|sort -nk 1
you can change the 80 above to any port you wish such as 25 for smtp, 53 for
dns/named , etc etc etc...
This should show you the # of connections from a specific IP.
If you have a small # of connections from very large numbers of IP addresses -
then chances are you might be under DDOS.
If there are a very large # of connections from just a few ip's than it should
be simple enough to ask the ISP to block or null route those IP addresses.
One last note -
You might want to check the IP's against nslookup or use the DNSStuff.com
toolset.
I have helped a few through these over the years and when they block the DNS
servers many folks use like 208.67.222.222 or 8.8.8.8 it really stinks for
folks... for sure.
So you want to make sure you are blocking the right thing of course.
Are you running anything like NTOP ? There are a few simple things to have in
place to watch incoming traffic when needed vs hoping that it goes away...
Kick back to me if your lost - and we can go off list for some help
Glenn
On Aug 2, 2010, at 9:56 AM, Jeremie Chism wrote:
> I noticed on Friday that everything I had seemed very slow. I went through
> checking the usual things and found no problem. After digging into
> everything I could put my hands on, I resorted to calling my upstream to see
> if they noticed any problems. They of course said no. At 430 that afternoon
> I got a call from one of their "engineers" stating that they had experienced
> a DOS attack that was affecting certain customers. They made some changes
> and it actually seemed to work better than before. Even my latency times had
> dropped. Today the problem seems to be creeping back to the same way it was
> Friday. My question is, is there a way to determine in the future that this
> is happening. Is there something specific that would lead me to the
> conclusion that in fact that is what is going on.
>
> --
> Jeremie Chism
> TritonDataLink
>
>
> --------------------------------------------------------------------------------
> WISPA Wants You! Join today!
> http://signup.wispa.org/
> --------------------------------------------------------------------------------
>
> WISPA Wireless List: wireless@wispa.org
>
> Subscribe/Unsubscribe:
> http://lists.wispa.org/mailman/listinfo/wireless
>
> Archives: http://lists.wispa.org/pipermail/wireless/
_____________________________________________________________________________________
Glenn Kelley | Principle | HostMedic |www.HostMedic.com
Email: gl...@hostmedic.com
Pplease don't print this e-mail unless you really need to.
--------------------------------------------------------------------------------
WISPA Wants You! Join today!
http://signup.wispa.org/
--------------------------------------------------------------------------------
WISPA Wireless List: wireless@wispa.org
Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless
Archives: http://lists.wispa.org/pipermail/wireless/
