Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Denial of Service Attacks

  • 16-08-2007 11:09PM
    #1
    digiworld.ie
    Closed Accounts Posts: 17


    Hi guys,

    I suspect my network has been breached by a denial of service attack and in particular, smurf, syn and land attacks to name a few. Is there anyone here who can help me sort this out as its really hammering our internet connection. We are suffering major packet loss.


    Any help is greatly appreciated.

    Richard
    Digiworld.ie


Comments

  • #2
    Cake Fiend
    Registered Users, Registered Users 2 Posts: 5,333 ✭✭✭Cake Fiend


    Are there any reasons why you suspect these particular types of attack? E.g. firewall logs etc? From the phrasing you use, I'm guessing you're not really a security guy. Depending on the type of attack, there can be preventative steps you can take. Something like a distributed SYN flood to a critical service (e.g. port 80 on a webserver) can be very hard to protect against. If the attacks are eating up your bandwidth, they're going to have to be cut off upstream anyway.

    Any more info on the target of the attack might help figure out what you're dealing with, and whether you're the ultimate intended victim. Is it your website? Your office network? If your site is hosted, is the hosting company experiencing similar attacks to other clients? Have you had anything like this happen before? Any recent firings of technical staff?

    In the unlikely event that these attacks are coming from a small set of hosts or networks, this isn't too hard. In the much more likely event that a (distributed) zombie network is the source of the attacks, you'd have to start looking at blocking off huge ranges, maybe whole countries. Nasty business.


  • #3
    digiworld.ie
    Closed Accounts Posts: 17 digiworld.ie


    im sure ita a DOS attack alright. I have been looking through the router logs and they are mentioned on several occassions. The problem lies on our network. We have 26 client pc's and at times throughout the day our connection is awful. If i run a ping test on it, we are getting one packet reply out of 6-8 . When i look at the logs for the corresponding times, it will show, syn flood, fin flood, smurf, land attacks. Its fairly random as to which one. I first thought i might have had a virus and reformatted some of the pc's but it has not helped.


  • #4
    voodoo
    Registered Users, Registered Users 2 Posts: 786 ✭✭✭voodoo


    Sounds like you need Intrusion prevention of some sort. do you have the option to turn this on on the firewall? Otherwise a standalone option would be adviseable, especially if you have very sensitive data that could be stolen from your network...


  • #5
    Cake Fiend
    Registered Users, Registered Users 2 Posts: 5,333 ✭✭✭Cake Fiend


    voodoo wrote:
    Sounds like you need Intrusion prevention of some sort

    This won't protect from a flood.


  • #6
    digiworld.ie
    Closed Accounts Posts: 17 digiworld.ie


    Have you any suggestions on how i could prevent the problem? I spent the day formatting my machines. Got through 11 of them, still have 12 to go. Ran a ping test this evening with only reformatted machines online and connectivity seems good


  • Advertisement
  • #7
    Cake Fiend
    Registered Users, Registered Users 2 Posts: 5,333 ✭✭✭Cake Fiend


    digiworld.ie wrote:
    I spent the day formatting my machines. Got through 11 of them, still have 12 to go. Ran a ping test this evening with only reformatted machines online and connectivity seems good

    OK, I was under the impression that your network was the target of the attack. What you're saying now implies that your systems were the source. Do your firewall logs specify what direction the traffic was travelling?

    If your machines were infected, you're going to have to put more stringent internet access / downloading / foreign media (USB drives and the like) policies in place, plus run anti-virus and anti-spyware packages.

    If this happens again, not only will it affect your own connectivity, you risk your ISP shutting off your access (not to mention damage to the business' credibility).


  • #8
    CptSternn
    Registered Users, Registered Users 2 Posts: 1,530 ✭✭✭CptSternn


    What kind of router are you using? Have you not be able to identify the specific source in the logs? Why are you reformatting the machines if you have yet to identify the specific attack, and more importantly, why are you reformatting if you have yet to identify how they compromised your systems to begin with? If you haven't got that sussed, they will more than likely be able to do it again in a week if you haven't figured it out.

    Are your local PC's on their own subnet? Wouldn't it be easier to isolate that subnet and restrict traffic from the router to and from it until you can isolate what exact is going on?

    Just a few questions mate. I myself, would make sure those PC's were on their own subnet, lock down the ports they can access, and then monitor for incoming traffic to those PC's to see if the attack is external first.

    Also, formatting those PC's is not only premature, your also going to wipe away any trace of the hackers along with the evidence that can be used to find them and stop any future attacks.

    You might want to hold off on that, but thats just me.

    -S


Advertisement