Date: Thu, 19 Jul 2001 08:48:53 -0400 From: Robert Hough <rch@acidpit.org> To: Walter Hop <walter@binity.com> Cc: freebsd-isp@freebsd.org Subject: Re: What do you do about DoS attacks? Message-ID: <20010719084853.A98826@acidpit.org> In-Reply-To: <17810514298.20010719112448@binity.com>; from walter@binity.com on Thu, Jul 19, 2001 at 11:24:48 %2B0200 References: <17810514298.20010719112448@binity.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Jul 19, 2001, Walter Hop wrote: > The colocated boxes on the subnet are hardly reachable when under > attack, so I can't login to make an ad-hoc analysis of the traffic; I > want to have a solid logging system in place before another attack > occurs. First suggestion, get a modem and put it on any colo boxes you manage, it will save you a lot of headache. If you have several machines, look into an old portmaster. They work great in this scenario. > I'd like to keep network dumps under heavy load. Logging all tcpdump > output to a file all day would create gigantic file Try using NetFlow's on your router. Along side flow-tools, you can probably get the information you want. It's actually a very nice feature, regardless of attacks. Lots of information to pull from netflows. http://www.cisco.com/warp/public/732/Tech/netflow/ http://www.splintered.net/sw/flow-tools > Does anyone have any pointers for tools or config options that could > help me? [I have tried google and the archives, but did not find > anything really valuable this morning..] http://www.sans.org NANOG can also be a good source of information, just have to weed through a ton of ego. I'd suggest spending some time digging through the NANOG site, and seeing if they have anything you can use (I'm sure they do). Then, maybe joining the mailing list and lurking for a while. If you don't mind being the end of someone's ego boost, you can post too. :) -- Robert Hough (rch@acidpit.org) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010719084853.A98826>