From owner-freebsd-net@FreeBSD.ORG Thu Sep 6 19:42:39 2007 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6448416A419 for ; Thu, 6 Sep 2007 19:42:39 +0000 (UTC) (envelope-from ecrist@secure-computing.net) Received: from snipe.secure-computing.net (snipe.secure-computing.net [209.240.66.149]) by mx1.freebsd.org (Postfix) with ESMTP id 22AA113C459 for ; Thu, 6 Sep 2007 19:42:39 +0000 (UTC) (envelope-from ecrist@secure-computing.net) Received: from [10.0.0.14] (unknown [74.95.66.25]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: ecrist@secure-computing.net) by snipe.secure-computing.net (Postfix) with ESMTP id C23B817021; Thu, 6 Sep 2007 14:42:37 -0500 (CDT) In-Reply-To: References: Mime-Version: 1.0 (Apple Message framework v752.3) Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Apple-Mail-1-347158145" Message-Id: <8CAB10E6-C13C-4DCB-B5C0-FE5D7DF00410@secure-computing.net> Content-Transfer-Encoding: 7bit From: Eric F Crist Date: Thu, 6 Sep 2007 14:42:35 -0500 To: Marc G. Fournier X-Pgp-Agent: GPGMail 1.1.2 (Tiger) X-Mailer: Apple Mail (2.752.3) Cc: freebsd-net@freebsd.org Subject: Re: DDoS attacks ... identifying destination ... X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Sep 2007 19:42:39 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --Apple-Mail-1-347158145 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed On Sep 6, 2007, at 1:48 PMSep 6, 2007, Marc G. Fournier wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > Today, I got hit by an attack, but haven't been able to easily > determine whom > was being attacked ... > > I run ipaudit to monitor bandwidth usage, so I have 'source / > destination' > information, but I'm not finding any particularly easy way to > narrow down whom > was being attacked ... > > I run mrtg on the switch so that I know which *server* is being > attacked, so I > need some method of being able to see whom is being attacked so > that I can put > appropriate blocks in place ... > > Is there either a command line command, or ports tool, that I can > use similar > to top, or systat -iostat, that will help identify the IP that is > being > attacked? > > Thank you ... > tcpdump might be of use. ----- Eric F Crist Secure Computing Networks --Apple-Mail-1-347158145 content-type: application/pgp-signature; x-mac-type=70674453; name=PGP.sig content-description: This is a digitally signed message part content-disposition: inline; filename=PGP.sig content-transfer-encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (Darwin) iD8DBQFG4FgryuaZYRUu2ukRAvRHAKCLX2rJ6EFcvIY2YH8pywkYjUrE5QCfV1An bJdX351wGpQ9ELnBUL8QAuA= =F0t6 -----END PGP SIGNATURE----- --Apple-Mail-1-347158145--