[Dshield] Defense against server attacks
Johannes B. Ullrich
jullrich at sans.org
Mon Dec 1 19:41:18 GMT 2003
I think your question comes down to good log monitoring. The particular
attack may have been detected as a syn-flood, depending on what kind of
log information you collect.
Overall, I assume you are not just interested in detecting this
particular attack, but instead in detecting the next, so far
unknown to you, attack.
A couple things that help:
* Monitor the availability of your services from the outside
and the inside of your network. "nagios" is a nice package to
do this. Alternatively, there are comercial services that do
this for you. If you are interested in e-mail, just setup an
autoresponder, and a script on some external system (e.g.
your home system) that sends an e-mail every 5 minutes and
measures rund trip time.
* A decent IDS is always a good idea. Try snort if you don't
have one already.
* Monitor your bandwidth usage. There are many tools to do
this (ntop, mrtg, iptraf). Setup alerts if bandwidth use
exceeds certain limits.
* setup a central log server and some scripts to watch for
odd occurrences. I personally like syslog and swatch to get
started, and 'logsurfer' if you need more control. But all
this depends on your existing infrastructure.
Important note: Do not rely on e-mail alone to receive the
alerts. How will you be alerted if the mail server is down ;-).
Either use a secondary e-mail account to monitor the primary account,
or use a modem that can send signals to a pager. This solution is
ideal as it will still work if your Internet connection is down.
> Any thoughts on how to detect something like this while it is in progress and what
> can be done if such an attack is detected? We have blocked the offending netblock at
> our border (the idiot used their real IP address -- or at least the address of
> whatever system they compromised), which protects our MTA, but does little for
> our network bandwidth problem.
CTO SANS Internet Storm Center http://isc.sans.org
phone: (617) 786 1563
fax: (617) 786 1550 jullrich at sans.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20031201/847ca167/attachment.bin
More information about the list