DDoS attacks ... identifying destination ...

Art Mason amason at rackspace.com
Thu Sep 6 13:52:42 PDT 2007 

On Thursday 06 September 2007 14:59:36 Olivier Brisson wrote:
> * Marc G. Fournier <scrappy at freebsd.org> [070906 21:28]:
> > Is there either a command line command, or ports tool, that I can use
> > similar to top, or systat -iostat, that will help identify the IP that is
> > being attacked?
>
> In some way, you could also use wireshark:
> http://www.wireshark.org/
>
> Olivier
> _______________________________________________
> freebsd-net at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-net
> To unsubscribe, send any mail to "freebsd-net-unsubscribe at freebsd.org"

In the past, I've used DoSDetector to some success:

/usr/ports/net/dosdetector

"DoSDetector analyzes and detects suspicious IP traffic and alerts about it.
It can detect worm traffic, SYN flood, icmp flood, udp flood attacks and more.

It's configurable via a rule set; when an IP exceeds the score limit,
DoSDetector prints a warning.

WWW: http://dark-zone.eu/resources/unix/dosdetector/"

Combined w/ NetFlow exports on your edge routers provides even more accuracy 
in at least identifying the router and interface the traffic is coming in 
from and then acting accordingly to mitigate its effects. 

Many of the CAIDA tools (http://www.caida.org/tools/) can also help with 
identifying the source and destination of the anoomalous traffic.

Hope this information proves to be of some value.

Cheers,
-- 
Art Mason
amason at rackspace.com
Intensive Network Security
Rackspace Managed Hosting
(800) 961-4454 ext. 4290


Confidentiality Notice: This e-mail message (including any attached or
embedded documents) is intended for the exclusive and confidential use of the
individual or entity to which this message is addressed, and unless otherwise
expressly indicated, is confidential and privileged information of Rackspace
Managed Hosting. Any dissemination, distribution or copying of the enclosed
material is prohibited. If you receive this transmission in error, please
notify us immediately by e-mail at abuse at rackspace.com, and delete the
original message. Your cooperation is appreciated.

More information about the freebsd-net mailing list