DOS accusation

Posted on 2006-03-31
Last Modified: 2010-04-11
i received an email from my dedicated server provider requesting a reply regarding a complaint about a DOS attack from my server.

i was not aware of any such attack, but what do i do now ?

Thank You
Question by:ed987
    LVL 25

    Expert Comment

    First go thru the logs.  If you know what server it is, you should probably take it off line as well (although I understand this usually can't be done).

    Does your provider say its still doing a DOS or no?  Could be your server has been compromised.  If I were you, I'd make a back up the system (data obviously, but logs for later review), redo the server and get it back up.  Update it, and harden it as much as possible.
    LVL 4

    Expert Comment

    I know of a company that had a similar problem -- someone started sending out RCMP packets to break into a network, and theirISP asked them to prevent it.  Their solution was to implement a much stronger firewall.

    I thought firewalls were supposed to stop outgoing DOS attacks.  These articles about "Reverse Firewalls" explain what I am thinking of, but they seem out of date.  Does anyone know what the best modern solution is?
    LVL 18

    Expert Comment

    You could hire a security expert if you wanted... but you might want to clone the HD so that you can look at it separately and try to analyze where things went wrong.

    What protections were in place for the server BEFORE this happened?

    Here's another link to look at for OS hardening:
    LVL 32

    Expert Comment

    Check your server for virus/worm infection.

    Ask the ISP to provide at least a partial log that shows the evidence and nature of the attack, including dates and times.
    LVL 27

    Accepted Solution

    LVL 8

    Expert Comment

    If you are an ISP provider:
    You can check the logs of your customers' accessings to the internet
    comparing with the log that you were given (be aware of the GMT
    and time difference, cause this is a common mistake) :)

    If you got a complaint about one certain server, you can try and check
    that machine for spyware/viruses/trojans/etc.

    If it is windows machine:
    You could check your system with HijackThis, and upload your log at and post the link of the uploaded log here,
    for further assistance, to make sure your system is clean.

    Anyway, if the data contained in the complaint log you were given is
    not confidential, you can paste the part of the log, or entire log here
    in order to be given the further directions on what to check/do.
    LVL 27

    Expert Comment

    I talked with my network engineer and he also recommends this free utility.
    Easy interface to navigate. For the accusation made against you with respects to sending out packets you will want
    to pay attention to this softwares "Protocol" tab. Look for the ICMP (Ping diagnostic) field. The higher the number,
    the more traffic from your pc. :-)
    LVL 24

    Expert Comment

    Cyclops3590 > First go thru the logs.  If you know what server it is, you should probably take it off line as well (although I understand this usually can't be done).

    Very good start.
    Go offline, get a good firewall, fdsik & format - better safe than sorry, you do not want permanent loss of access

    ed987 > dedicated server provider
    Now I am confused. Is this a typo? Where is server?
    If they provide server, they should also have a few protections around, such as for the firewall
    LVL 51

    Expert Comment

    >  i received an email from my ..
    can you 101% proove that the email is reliable?
    if not simply forget it and save your time ;-)
    LVL 4

    Expert Comment

    run a sniffer (network traffic analyzer) to see if the traffic is actually comming from your server.  Someone could be spoofing your address...ever heard of a SMURF attack.  If you see an unusually high amount of outbound ICMP traffic coming from your machine then its prolly DOSing.  It could be a TCP flood if thats the case netstat command from the command prompt would be helpful.  Find out what IP address and if you have the ability, block all outbound traffic to that IP at your perimeter.

    What ever you do do not reply to the email (if its not legit then its prolly spoofed as well) your ISP and verify its validity.  Be specific ask them exacly what kind of traffic they are seeing.  Tell them you want a packet capture from their end as well.

    David-Howard recommended a good sniffer you will also need to install ICAP inorder to capture packets.  

    LVL 8

    Expert Comment

    Also CommView and EtherDetect are good.

    "Network Analyzer and Network Monitor - CommView"

    "EtherDetect Packet Sniffer, Protocol Analyzer"
    LVL 23

    Expert Comment

    by:Tim Holman and will help you find the source.  If you have a firewall, then ensure that only incoming traffic is permitted to this server, and anything outbound is restricted.  You could do this at a local level too, and setup an IP filter via Control Panel/Network Card properties/Advanced etc.
    It's unlikely to be a DOS attack, more likely your server is infected with a virus and is exhibiting DOS-like symptomns.
    Run a throrough AV scan on this server, and download/run MSBA 2.0 to ensure it's sufficiently patched to defend against future intrusion.

    Featured Post

    Live: Real-Time Solutions, Start Here

    Receive instant 1:1 support from technology experts, using our real-time conversation and whiteboard interface. Your first 5 minutes are always free.

    Join & Write a Comment

    If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
    Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now