how to respond to possible attacks

Bill Campbell freebsd at celestial.com
Sat Mar 8 22:54:38 UTC 2008


On Sat, Mar 08, 2008, Robin Becker wrote:
>Sorry if this is too off topic, but I would like to find out what to do 
>when you suspect a possible dos attack on your system. I know there are 
>many experienced sysadmins here.
>Although my system (freebsd 6.0/apache 2.0.x) did in fact hold up, what 
>steps should I be taking? The originating ip doesn't seem to be reverse 
>mappable.

The first thing to do is ``whois ipaddress'' which probably will
identify the owner of the ip block.

One can also identify name servers by reversing the octets in the
IP address, then querying for the name server(s) responsible for
the reverse dns.  This if the IP address is 1.2.3.4, one would
try the following searches until one returns something useful.

	dig 4.3.2.in-addr.arpa. ns
	dig 3.2.in-addr.arpa. ns
	dig 2.in-addr.arpa. ns

The next step would be to attempt to contact the owners of the
name servers.

Bill
--
INTERNET:   bill at celestial.com  Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/  PO Box 820; 6641 E. Mercer Way
FAX:            (206) 232-9186  Mercer Island, WA 98040-0820; (206) 236-1676

We'll show the world we are prosperous, even if we have to go broke to do
it. -- Will Rogers


More information about the freebsd-questions mailing list