Date: Thu, 6 Sep 2007 15:38:49 -0500 From: Art Mason <amason@rackspace.com> To: freebsd-net@freebsd.org Subject: Re: DDoS attacks ... identifying destination ... Message-ID: <200709061538.49483.amason@rackspace.com> In-Reply-To: <20070906195936.GB81651@haribo.unixcraft.org> References: <B619D4EFFD109A19C9A24EFC@ganymede.hub.org> <20070906195936.GB81651@haribo.unixcraft.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thursday 06 September 2007 14:59:36 Olivier Brisson wrote: > * Marc G. Fournier <scrappy@freebsd.org> [070906 21:28]: > > Is there either a command line command, or ports tool, that I can use > > similar to top, or systat -iostat, that will help identify the IP that is > > being attacked? > > In some way, you could also use wireshark: > http://www.wireshark.org/ > > Olivier > _______________________________________________ > freebsd-net@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-net > To unsubscribe, send any mail to "freebsd-net-unsubscribe@freebsd.org" In the past, I've used DoSDetector to some success: /usr/ports/net/dosdetector "DoSDetector analyzes and detects suspicious IP traffic and alerts about it. It can detect worm traffic, SYN flood, icmp flood, udp flood attacks and more. It's configurable via a rule set; when an IP exceeds the score limit, DoSDetector prints a warning. WWW: http://dark-zone.eu/resources/unix/dosdetector/" Combined w/ NetFlow exports on your edge routers provides even more accuracy in at least identifying the router and interface the traffic is coming in from and then acting accordingly to mitigate its effects. Many of the CAIDA tools (http://www.caida.org/tools/) can also help with identifying the source and destination of the anoomalous traffic. Hope this information proves to be of some value. Cheers, -- Art Mason amason@rackspace.com Intensive Network Security Rackspace Managed Hosting (800) 961-4454 ext. 4290 Confidentiality Notice: This e-mail message (including any attached or embedded documents) is intended for the exclusive and confidential use of the individual or entity to which this message is addressed, and unless otherwise expressly indicated, is confidential and privileged information of Rackspace Managed Hosting. Any dissemination, distribution or copying of the enclosed material is prohibited. If you receive this transmission in error, please notify us immediately by e-mail at abuse@rackspace.com, and delete the original message. Your cooperation is appreciated.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200709061538.49483.amason>