Problem

[Sergey Kuznetsov]

>
> Actually, it turns out it may have been a DOS attack. I could not get
> in, and connect via web, SSH, etc. but upon calling the tech at the
> location, the server was on, but traffic could not get through because
> it was being bombarded by traffic. Any way to check which domains were
> being targeted?
>
   It is not necesary to be exact domain or set of domains. It could be just 
simplest SYN or FIN or something like that.

First of all, check the traffic on-site at the moment of attack ( is it's 
possible ) by tcpdump. If it's impossible then make the cron job, which will 
start aproximately at the time of attack and will grab any incoming/outgoing 
packet to the tcpdump's binary format file. ( you need lots of space, if your 
sites are heavily used ), and cron job which kill the tcpdump session after 
some time.

If you will see the 3-way TCP handshake in the tcpdump logs - you probably can 
recognize the attacker, if it's SYN/FIN attack - forget about it, source 
address could be forged. Even for 3-way TCP handshake the attacker can use 
the anonymous SOCKS-proxies. In this case you should ask Your hoster to 
initiate security investigation, to trace the attackers. Any big providers 
like MCI/ATT/Sprint have their security specialists who know how to trace the 
attacker and interoperate with other networks.



PS: Security guys from my previous work ( MCI Canada) successfuly traced, 
localized and filtered at origin such kind of attacks ( it came from China ) 
for some of their customers.

-- 
All the Best!
-----------------
Sergey Kuznetsov
Senior Software Developer
Blueprint Initiative
Samuel Lunenfeld Research Institute
at Mount Sinai Hospital
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml