|
|
02-18-2009, 03:18 PM
|
|||
|
|||
Detecting DoS
    
|
|
02-18-2009, 03:33 PM
|
|||
|
|||
|
Quote:
Code:
netstat -atun|grep :80|awk '{print $5}'|cut -d: -f1|uniq -c
Try not concentrate only on the TCP data, check your apache logs as well for which files are being accessed. This can help you narrow down and profile the attacker more i.e. wether he is brute forcing a script on your server, gather his attack pattern, etc. Hope this helps.
|
|
02-18-2009, 03:51 PM
|
||||
|
||||
|
Be careful
Be careful with interpreting data, you might be thinking of legitimate users as the culprit to DoSing your server.
As swordfish says carefully inspect your access and error logs, consolidate hourly data for each IP. One thing to look our for the culprit based on my experience are bogus HTTP requests which are very hard to detect from the server level. Also lookout for out of the norm apache error responses from your logs i.e. aside from 500 and 404, some uncomon apache error codes could've shown up at your logs from the last hour or so.
__________________
···dotmanila···
|
|
02-18-2009, 04:01 PM
|
|||
|
|||
|
Quote:
It would also help asking assistance from your network administratot/engineer. I would assume bringing attention of DoS to your server is that it is a busy and well visited website(s) and it is as well behind a managed network. From this point your network administrators/engineers can inspect the packets from the switch/firewall your server connects on.
|
|
02-18-2009, 04:13 PM
|
|||
|
|||
|
Apparently, asking help from the network engineers incurs costs and I had to get authorization from the client. They are investigating the attack as I type.
However I still need to investigate this myself and give it a shot from the server level. I agree it will be harder but this can be a sort of training as well.
|
 |
| Bookmarks |
| Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
| Thread Tools | |
| Display Modes | |
|
|
Linear Mode
