DOS SYN attack on a large network
Lennart Sorensen
lsorense-1wCw9BSqJbv44Nm34jS7GywD8/FfD2ys at public.gmane.org
Tue Aug 12 15:03:47 UTC 2008
On Tue, Aug 12, 2008 at 08:35:26AM -0400, Teddy wrote:
>
> We have a few hundred Linux boxes.
> We do not have root access to these client boxes.
> (So I cannot secure or "fix them up")
>
> Once in a while, we get a DOS or SYN or some other type of
> attack on our network, that can down the entire network.
> We have our switches configured correctly. (reverifying again)
>
> One thing I do notice of course is the offending box, starts making
> a tremendous amount of bandwidth. (100Mbits/sec)
>
> I would like to monitor this, perhaps like:
>
> 1. If traffic on switch >=30 Mbits for 600 seconds then fire off an email
> 2. Login to the network to fix it (hopefully before network gets saturated)
>
>
> I have cacti/ntop/nagios and other tools.
> What tool would be best suited for this?
> Is there a better way, than just waiting for a DOS SYN attack to occur?
Well if it happens, note the source port/mac address of the problem,
then go permanently remove that user from the network. Eventually it
should stop happening.
Some switches have built in protection against floods, which could be
helpful, although not sure how many have that feature.
--
Len Sorensen
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list