We help IT Professionals succeed at work.

DOS accusation

ed987
ed987 asked
on
Medium Priority
187 Views
Last Modified: 2010-04-11
i received an email from my dedicated server provider requesting a reply regarding a complaint about a DOS attack from my server.

i was not aware of any such attack, but what do i do now ?

Thank You
Comment
Watch Question

Cyclops3590Sr Software Engineer
CERTIFIED EXPERT

Commented:
First go thru the logs.  If you know what server it is, you should probably take it off line as well (although I understand this usually can't be done).

Does your provider say its still doing a DOS or no?  Could be your server has been compromised.  If I were you, I'd make a back up the system (data obviously, but logs for later review), redo the server and get it back up.  Update it, and harden it as much as possible.

Commented:
I know of a company that had a similar problem -- someone started sending out RCMP packets to break into a network, and theirISP asked them to prevent it.  Their solution was to implement a much stronger firewall.

I thought firewalls were supposed to stop outgoing DOS attacks.  These articles about "Reverse Firewalls" explain what I am thinking of, but they seem out of date.  Does anyone know what the best modern solution is?

http://www.infoworld.com/articles/hn/xml/01/11/01/011101hncs3.html

http://www.cs3-inc.com/faq.html#11
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
You could hire a security expert if you wanted... but you might want to clone the HD so that you can look at it separately and try to analyze where things went wrong.

What protections were in place for the server BEFORE this happened?

Here's another link to look at for OS hardening: http://www.cisecurity.org
r-k

Commented:
Check your server for virus/worm infection.

Ask the ISP to provide at least a partial log that shows the evidence and nature of the attack, including dates and times.

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
If you are an ISP provider:
You can check the logs of your customers' accessings to the internet
comparing with the log that you were given (be aware of the GMT
and time difference, cause this is a common mistake) :)

If you got a complaint about one certain server, you can try and check
that machine for spyware/viruses/trojans/etc.

If it is windows machine:
You could check your system with HijackThis, and upload your log at
http://www.hijackthis.de/ and post the link of the uploaded log here,
for further assistance, to make sure your system is clean.
http://www.merijn.org/files/hijackthis.zip

Anyway, if the data contained in the complaint log you were given is
not confidential, you can paste the part of the log, or entire log here
in order to be given the further directions on what to check/do.
I talked with my network engineer and he also recommends this free utility.
http://www.ethereal.com/
Easy interface to navigate. For the accusation made against you with respects to sending out packets you will want
to pay attention to this softwares "Protocol" tab. Look for the ICMP (Ping diagnostic) field. The higher the number,
the more traffic from your pc. :-)

Commented:
Cyclops3590 > First go thru the logs.  If you know what server it is, you should probably take it off line as well (although I understand this usually can't be done).

Very good start.
Go offline, get a good firewall, fdsik & format - better safe than sorry, you do not want permanent loss of access

ed987 > dedicated server provider
 
Now I am confused. Is this a typo? Where is server?
If they provide server, they should also have a few protections around, such as for the firewall
>  i received an email from my ..
can you 101% proove that the email is reliable?
if not simply forget it and save your time ;-)

Commented:
run a sniffer (network traffic analyzer) to see if the traffic is actually comming from your server.  Someone could be spoofing your address...ever heard of a SMURF attack.  If you see an unusually high amount of outbound ICMP traffic coming from your machine then its prolly DOSing.  It could be a TCP flood if thats the case netstat command from the command prompt would be helpful.  Find out what IP address and if you have the ability, block all outbound traffic to that IP at your perimeter.

What ever you do do not reply to the email (if its not legit then its prolly spoofed as well)...call your ISP and verify its validity.  Be specific ask them exacly what kind of traffic they are seeing.  Tell them you want a packet capture from their end as well.

David-Howard recommended a good sniffer you will also need to install ICAP inorder to capture packets.  

Also CommView and EtherDetect are good.

"Network Analyzer and Network Monitor - CommView"
http://www.tamos.com/products/commview/

"EtherDetect Packet Sniffer, Protocol Analyzer"
http://www.etherdetect.com/
CERTIFIED EXPERT

Commented:
www.ethereal.com and www.netlimiter.com will help you find the source.  If you have a firewall, then ensure that only incoming traffic is permitted to this server, and anything outbound is restricted.  You could do this at a local level too, and setup an IP filter via Control Panel/Network Card properties/Advanced etc.
It's unlikely to be a DOS attack, more likely your server is infected with a virus and is exhibiting DOS-like symptomns.
Run a throrough AV scan on this server, and download/run MSBA 2.0 to ensure it's sufficiently patched to defend against future intrusion.

http://www.microsoft.com/technet/security/tools/mbsa2/default.mspx
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.