Wireshark · Wireshark-users: Re: [Wireshark-users] DoS packets?

Wireshark-users: Re: [Wireshark-users] DoS packets?

From: "Rafael Mejías" <rafaelmejiasc@xxxxxxxxx>

Date: Tue, 29 Apr 2008 10:37:31 +1930

> 1. do you know have a list of the top talkers to the server when you are 90% saturated? The web guys might be able to give you some stats from their logs.

Let me check for that. The server guys are working on it. I don't have
that info right now.

> 2. Are the attacks coming from the same source IP address or multiple IP addresses?

The pcap file shows multiple IP addresses. I'm trying the analyze it
but it's a sloy process.

> As far as looking for signs of the attack, look for SYN floods or FIN attacks for starters.

How can I filter that in Wireshark?

> You can turn on IP accounting on the Cisco router and find out which IP's are sending the most traffic to the router then put in a quick access list to block those IP's (if they are few in number, that is).

I'll get to it.

> Also, I would get your ISP involved immediately and they can give you some help in isolating the unwanted traffic and should be able to black hole it upstream from your router.

That too, although the aren't very cooperative.

Thanks.

References:
- [Wireshark-users] DoS packets?
  - From: Rafael Mejías
- Re: [Wireshark-users] DoS packets?
  - From: Sheahan, John
- Re: [Wireshark-users] DoS packets?
  - From: Rafael Mejías
- Re: [Wireshark-users] DoS packets?
  - From: Sheahan, John

Prev by Date: Re: [Wireshark-users] Difficulties decrypting SSL
Next by Date: [Wireshark-users] Question please
Previous by thread: Re: [Wireshark-users] DoS packets?
Next by thread: [Wireshark-users] newbe
Index(es):
- Date
- Thread