Re: DOS attacks

[Miles Stevenson <miles () mstevenson org>]

Paul, 
        I can appreciate your situation in that you want to find out more of whats 
going on, but if you know for sure that some of your users are launching 
attacks against others, you need to put an end to this behavior before you do 
anything else, whether or not you choose to simply disconnect them. This 
could mean blocking all of the malicious outbound traffic. 

        Once you have taken steps to mitigate further attacks, I would then analyze 
the outbound attack traffic. If you have this captured, run it through an IDS 
like Snort. This will help you to determine if this is worm/trojan traffic or 
not.

Good luck.

On Friday 06 August 2004 12:26 pm, Paul Ryan wrote:
> Are there any forensic type tools to assist me in the following situation.
>
>
>
> I have a small group of my Internet customers attacking an external web
> server. Rather than just cut them off - I've spoken to the server admin and
> received his syslogs.. what I would like to do is to get to the root cause
> - whether it be purposely or a worm/Trojan..
> Thus far - I've retina/nessus scanned, profiled the traffic to the server
> (to get a packet/ bandwidth total) .is there anything else you can
> recommend ?
>
> Any comments will be greatly appreciated .
>
>  Regards,
>
>
>
> paul
>
>
>
>
> ---------------------------------------------------------------------------
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
> any course! All of our class sizes are guaranteed to be 10 students or less
> to facilitate one-on-one interaction with one of our expert instructors.
> Attend a course taught by an expert instructor with years of in-the-field
> pen testing experience in our state of the art hacking lab. Master the
> skills of an Ethical Hacker to better assess the security of your
> organization. Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> ---------------------------------------------------------------------------
> -

-- 
Miles Stevenson
miles () mstevenson org
PGP FP: 035F 7D40 44A9 28FA 7453 BDF4 329F 889D 767D 2F63

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------