hi lyndon On 12/03/15 at 05:54pm, Lyndon Nerenberg wrote:
On Dec 3, 2015, at 5:00 PM, alvin nanog <nanogml@Mail.DDoS-Mitigator.net> wrote:
run tcpdump and/or etherreal to capture the DDoS attacks
<face palm> Of course! If we had only thought of this sooner! </face palm> :-)
yupperz.. the problem is, capturing is nice, you have all this data ... now what ,, all that tcpdump jibberish needs to be converted and presented in a format suitable for the bean counters to allocate $$$ to mitigate and minimize the effects of the "free n hopefully relatively harmless" DDoS attacks occuring every second lets assume required services are properly configured and excluded - acl's only for your own dns queries - ssh only from specific ip# - ntp to/from your isp lets assume you allow incoming ssh only from w.x.y.z ... all other connections are DoS attacks tcpdump -n -l ! host w.x.y.z and port 22 lets assume mail is your mail server .. all traffic NOT on port 25 are DoS attacks tcpdump -n -l host mail.example.com and ! port 25 lets assume www is your web server .. all traffic NOT on port 80 are DoS attacks tcpdump -n -l host mail.example.com and ! port 80 if you are running all the services ( mail + apache + mysql ) on one servr the remaining tcp connections are DoS attacks tcpdump -n -l host mail.example.com and \( ! port 80 and ! port 80 and ! port 3306 \) lets assume dns is your dns server .. i consider all tcp traffic from outside as DoS attacks tcpdump -n -l tcp host dns.example.com to see possible udp attacks .. don't forget to exclude your own DNS and NTP queries tcpdump -n -l udp to see possible icmp attacks tcpdump -n -l icmp too many gazillions options makes the world go round n round ... - where does it end :-) ... it doesn't ... if you get a screenful of data flying by of stuff you don't recognize, you're probably under light DDoS attacks magic pixie dust alvin http://DDoS-Mitigator.net/cgi-bin/IPtables-GUI.pl