[Dshield] Defense against server attacks

Johannes B. Ullrich jullrich at sans.org
Mon Dec 1 19:41:18 GMT 2003

I think your question comes down to good log monitoring. The particular
attack may have been detected as a syn-flood, depending on what kind of 
log information you collect.

Overall, I assume you are not just interested in detecting this
particular attack, but instead in detecting the next, so far 
unknown to you, attack.

A couple things that help:

* Monitor the availability of your services from the outside
  and the inside of your network. "nagios" is a nice package to
  do this. Alternatively, there are comercial services that do
  this for you. If you are interested in e-mail, just setup an
  autoresponder, and a script on some external system (e.g.
  your home system) that sends an e-mail every 5 minutes and
  measures rund trip time.
* A decent IDS is always a good idea. Try snort if you don't 
  have one already.
* Monitor your bandwidth usage. There are many tools to do 
  this (ntop, mrtg, iptraf). Setup alerts if bandwidth use
  exceeds certain limits.
* setup a central log server and some scripts to watch for 
  odd occurrences. I personally like syslog and swatch to get
  started, and 'logsurfer' if you need more control. But all
  this depends on your existing infrastructure.

Important note: Do not rely on e-mail alone to receive the
alerts. How will you be alerted if the mail server is down ;-).
Either use a secondary e-mail account to monitor the primary account, 
or use a modem that can send signals to a pager. This solution is 
ideal as it will still work if your Internet connection is down.

> Any thoughts on how to detect something like this while it is in progress and what 
> can be done if such an attack is detected? We have blocked the offending netblock at
>  our border (the idiot used their real IP address -- or at least the address of 
> whatever system they compromised), which protects our MTA, but does little for 
> our network bandwidth problem.

CTO SANS Internet Storm Center               http://isc.sans.org
phone: (617) 786 1563            
  fax: (617) 786 1550                          jullrich at sans.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20031201/847ca167/attachment.bin

More information about the list mailing list