DOS accusation

i received an email from my dedicated server provider requesting a reply regarding a complaint about a DOS attack from my server.

i was not aware of any such attack, but what do i do now ?

Thank You
LVL 7
ed987Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cyclops3590Commented:
First go thru the logs.  If you know what server it is, you should probably take it off line as well (although I understand this usually can't be done).

Does your provider say its still doing a DOS or no?  Could be your server has been compromised.  If I were you, I'd make a back up the system (data obviously, but logs for later review), redo the server and get it back up.  Update it, and harden it as much as possible.
0
samb39Commented:
I know of a company that had a similar problem -- someone started sending out RCMP packets to break into a network, and theirISP asked them to prevent it.  Their solution was to implement a much stronger firewall.

I thought firewalls were supposed to stop outgoing DOS attacks.  These articles about "Reverse Firewalls" explain what I am thinking of, but they seem out of date.  Does anyone know what the best modern solution is?

http://www.infoworld.com/articles/hn/xml/01/11/01/011101hncs3.html

http://www.cs3-inc.com/faq.html#11
0
masnrockCommented:
You could hire a security expert if you wanted... but you might want to clone the HD so that you can look at it separately and try to analyze where things went wrong.

What protections were in place for the server BEFORE this happened?

Here's another link to look at for OS hardening: http://www.cisecurity.org
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

r-kCommented:
Check your server for virus/worm infection.

Ask the ISP to provide at least a partial log that shows the evidence and nature of the attack, including dates and times.
0
David-HowardCommented:
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
nepostojeci_emailCommented:
If you are an ISP provider:
You can check the logs of your customers' accessings to the internet
comparing with the log that you were given (be aware of the GMT
and time difference, cause this is a common mistake) :)

If you got a complaint about one certain server, you can try and check
that machine for spyware/viruses/trojans/etc.

If it is windows machine:
You could check your system with HijackThis, and upload your log at
http://www.hijackthis.de/ and post the link of the uploaded log here,
for further assistance, to make sure your system is clean.
http://www.merijn.org/files/hijackthis.zip

Anyway, if the data contained in the complaint log you were given is
not confidential, you can paste the part of the log, or entire log here
in order to be given the further directions on what to check/do.
0
David-HowardCommented:
I talked with my network engineer and he also recommends this free utility.
http://www.ethereal.com/
Easy interface to navigate. For the accusation made against you with respects to sending out packets you will want
to pay attention to this softwares "Protocol" tab. Look for the ICMP (Ping diagnostic) field. The higher the number,
the more traffic from your pc. :-)
0
SunBowCommented:
Cyclops3590 > First go thru the logs.  If you know what server it is, you should probably take it off line as well (although I understand this usually can't be done).

Very good start.
Go offline, get a good firewall, fdsik & format - better safe than sorry, you do not want permanent loss of access

ed987 > dedicated server provider
 
Now I am confused. Is this a typo? Where is server?
If they provide server, they should also have a few protections around, such as for the firewall
0
ahoffmannCommented:
>  i received an email from my ..
can you 101% proove that the email is reliable?
if not simply forget it and save your time ;-)
0
SymShadyCommented:
run a sniffer (network traffic analyzer) to see if the traffic is actually comming from your server.  Someone could be spoofing your address...ever heard of a SMURF attack.  If you see an unusually high amount of outbound ICMP traffic coming from your machine then its prolly DOSing.  It could be a TCP flood if thats the case netstat command from the command prompt would be helpful.  Find out what IP address and if you have the ability, block all outbound traffic to that IP at your perimeter.

What ever you do do not reply to the email (if its not legit then its prolly spoofed as well)...call your ISP and verify its validity.  Be specific ask them exacly what kind of traffic they are seeing.  Tell them you want a packet capture from their end as well.

David-Howard recommended a good sniffer you will also need to install ICAP inorder to capture packets.  

0
nepostojeci_emailCommented:
Also CommView and EtherDetect are good.

"Network Analyzer and Network Monitor - CommView"
http://www.tamos.com/products/commview/

"EtherDetect Packet Sniffer, Protocol Analyzer"
http://www.etherdetect.com/
0
Tim HolmanCommented:
www.ethereal.com and www.netlimiter.com will help you find the source.  If you have a firewall, then ensure that only incoming traffic is permitted to this server, and anything outbound is restricted.  You could do this at a local level too, and setup an IP filter via Control Panel/Network Card properties/Advanced etc.
It's unlikely to be a DOS attack, more likely your server is infected with a virus and is exhibiting DOS-like symptomns.
Run a throrough AV scan on this server, and download/run MSBA 2.0 to ensure it's sufficiently patched to defend against future intrusion.

http://www.microsoft.com/technet/security/tools/mbsa2/default.mspx
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.