View Full Version : DoS Attack Problem
I keep getting all kinds of SYN Flood, UDP Flood, and Land Attacks
recorded in the firewall log of my router. They are attacks coming
from within the network. There are about 50 people connected to this
network with their personal laptops, etc. Any ideas how to catch the
culprits and stop the attacks? They keep causing the router to crash.
The IP addresses recorded are usually spoofed.
jelze had written this in response to
http://www.secure-gear.com/firewalls/DoS-Attack-Problem-31147-.htm :
You need to find a way to look at network traffic. Port mirroring,
network tap, using a hub, tcpdump/wireshark on the firewall(if its
something sitting on a operating system pfsense, monowall).
Grab the MAC address from the spoofed packets and check ARP tables on your
switches.
-------------------------------------
Sean wrote:
> I keep getting all kinds of SYN Flood, UDP Flood, and Land Attacks
> recorded in the firewall log of my router. They are attacks coming
> from within the network. There are about 50 people connected to this
> network with their personal laptops, etc. Any ideas how to catch the
> culprits and stop the attacks? They keep causing the router to crash.
> The IP addresses recorded are usually spoofed.
Techno_Guy
08-22-09, 11:26 PM
On Aug 21, 1:24*pm, formulals1_at_gmail_dot_...@foo.com (jelze) wrote:
> jelze had written this in response tohttp://www.secure-gear.com/firewalls/DoS-Attack-Problem-31147-.htm*:
> You need to find a way to look at network traffic. *Port mirroring,
> network tap, using a hub, tcpdump/wireshark on the firewall(if its
> something sitting on a operating system pfsense, monowall). *
>
> Grab the MAC address from the spoofed packets and check ARP tables on your
> switches.
>
> -------------------------------------
>
>
>
> Sean wrote:
> > I keep getting all kinds of SYN Flood, UDP Flood, and Land Attacks
> > recorded in the firewall log of my router. They are attacks coming
> > from within the network. There are about 50 people connected to this
> > network with their personal laptops, etc. Any ideas how to catch the
> > culprits and stop the attacks? They keep causing the router to crash.
> > The IP addresses recorded are usually spoofed.- Hide quoted text -
>
> - Show quoted text -
Layer 2 is the only way to find it if the ip's are spoofed. For that
matter they may be spoofing layer 2 as well. If that is the case check
your switches for interface counters and see if one port is sending
alot more traffic than another. Keep in mind if your VLANing then your
trunk ports will be on that list of high traffic.
Once you find your high traffic ports/mac addresses of the offender,
unplug them from the switch and verify if your still having problems.
Just dont unplug your trunk ports unless your willing to face the
wrath of the angry mob of users who will be looking to have your head
when they can't connect anymore to the network.
Good luck.
vBulletin® v3.8.4, Copyright ©2000-2010, Jelsoft Enterprises Ltd.