Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

DOS accusation

Posted on 2006-03-31
12
Medium Priority
?
169 Views
Last Modified: 2010-04-11
i received an email from my dedicated server provider requesting a reply regarding a complaint about a DOS attack from my server.

i was not aware of any such attack, but what do i do now ?

Thank You
0
Comment
Question by:ed987
12 Comments
 
LVL 25

Expert Comment

by:Cyclops3590
ID: 16342613
First go thru the logs.  If you know what server it is, you should probably take it off line as well (although I understand this usually can't be done).

Does your provider say its still doing a DOS or no?  Could be your server has been compromised.  If I were you, I'd make a back up the system (data obviously, but logs for later review), redo the server and get it back up.  Update it, and harden it as much as possible.
0
 
LVL 4

Expert Comment

by:samb39
ID: 16343102
I know of a company that had a similar problem -- someone started sending out RCMP packets to break into a network, and theirISP asked them to prevent it.  Their solution was to implement a much stronger firewall.

I thought firewalls were supposed to stop outgoing DOS attacks.  These articles about "Reverse Firewalls" explain what I am thinking of, but they seem out of date.  Does anyone know what the best modern solution is?

http://www.infoworld.com/articles/hn/xml/01/11/01/011101hncs3.html

http://www.cs3-inc.com/faq.html#11
0
 
LVL 33

Expert Comment

by:masnrock
ID: 16343173
You could hire a security expert if you wanted... but you might want to clone the HD so that you can look at it separately and try to analyze where things went wrong.

What protections were in place for the server BEFORE this happened?

Here's another link to look at for OS hardening: http://www.cisecurity.org
0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

 
LVL 32

Expert Comment

by:r-k
ID: 16343859
Check your server for virus/worm infection.

Ask the ISP to provide at least a partial log that shows the evidence and nature of the attack, including dates and times.
0
 
LVL 27

Accepted Solution

by:
David-Howard earned 1500 total points
ID: 16343898
0
 
LVL 8

Expert Comment

by:nepostojeci_email
ID: 16344197
If you are an ISP provider:
You can check the logs of your customers' accessings to the internet
comparing with the log that you were given (be aware of the GMT
and time difference, cause this is a common mistake) :)

If you got a complaint about one certain server, you can try and check
that machine for spyware/viruses/trojans/etc.

If it is windows machine:
You could check your system with HijackThis, and upload your log at
http://www.hijackthis.de/ and post the link of the uploaded log here,
for further assistance, to make sure your system is clean.
http://www.merijn.org/files/hijackthis.zip

Anyway, if the data contained in the complaint log you were given is
not confidential, you can paste the part of the log, or entire log here
in order to be given the further directions on what to check/do.
0
 
LVL 27

Expert Comment

by:David-Howard
ID: 16344501
I talked with my network engineer and he also recommends this free utility.
http://www.ethereal.com/
Easy interface to navigate. For the accusation made against you with respects to sending out packets you will want
to pay attention to this softwares "Protocol" tab. Look for the ICMP (Ping diagnostic) field. The higher the number,
the more traffic from your pc. :-)
0
 
LVL 24

Expert Comment

by:SunBow
ID: 16345369
Cyclops3590 > First go thru the logs.  If you know what server it is, you should probably take it off line as well (although I understand this usually can't be done).

Very good start.
Go offline, get a good firewall, fdsik & format - better safe than sorry, you do not want permanent loss of access

ed987 > dedicated server provider
 
Now I am confused. Is this a typo? Where is server?
If they provide server, they should also have a few protections around, such as for the firewall
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16346365
>  i received an email from my ..
can you 101% proove that the email is reliable?
if not simply forget it and save your time ;-)
0
 
LVL 4

Expert Comment

by:SymShady
ID: 16350997
run a sniffer (network traffic analyzer) to see if the traffic is actually comming from your server.  Someone could be spoofing your address...ever heard of a SMURF attack.  If you see an unusually high amount of outbound ICMP traffic coming from your machine then its prolly DOSing.  It could be a TCP flood if thats the case netstat command from the command prompt would be helpful.  Find out what IP address and if you have the ability, block all outbound traffic to that IP at your perimeter.

What ever you do do not reply to the email (if its not legit then its prolly spoofed as well)...call your ISP and verify its validity.  Be specific ask them exacly what kind of traffic they are seeing.  Tell them you want a packet capture from their end as well.

David-Howard recommended a good sniffer you will also need to install ICAP inorder to capture packets.  

0
 
LVL 8

Expert Comment

by:nepostojeci_email
ID: 16351622
Also CommView and EtherDetect are good.

"Network Analyzer and Network Monitor - CommView"
http://www.tamos.com/products/commview/

"EtherDetect Packet Sniffer, Protocol Analyzer"
http://www.etherdetect.com/
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 16411741
www.ethereal.com and www.netlimiter.com will help you find the source.  If you have a firewall, then ensure that only incoming traffic is permitted to this server, and anything outbound is restricted.  You could do this at a local level too, and setup an IP filter via Control Panel/Network Card properties/Advanced etc.
It's unlikely to be a DOS attack, more likely your server is infected with a virus and is exhibiting DOS-like symptomns.
Run a throrough AV scan on this server, and download/run MSBA 2.0 to ensure it's sufficiently patched to defend against future intrusion.

http://www.microsoft.com/technet/security/tools/mbsa2/default.mspx
0

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Still wondering grappling over to strengthen your password, worry no more. Choose a Strong Passphrase instead though second factor is highly recommended. Read on more on the how-to and tips to enhance your "password" using easier to remember passphr…
Each password manager has its own problems in dealing with certain websites and their login methods. In Part 1, I review the Top 5 Password Managers that I've found to be the best. In Part 2 we'll look at which ones co-exist together and why it'…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
Suggested Courses

564 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question