Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Win2000 Server generating a DOS attack
- Thread starter rjs
- Start date
It could really be caused by any number of things. What services are they running? Are they connected to the internet? What ports do they have open? What ports are supposed to be open?
Hopefully when you built these machines, you noted or you know now what ports are supposed to be open. Take a look at 'netstat -na' and see what ports are actually open. Granted if you did get compromised, these may not show up, so port scan your servers and see if they see any rogue servers.
As far as I know, most of the common DOS agents work on Win2k also. You are going to have to do some serious recon work on these servers. Note the open ports, the running services, server load and where that load is coming from.
If this doesn't point you in the right direction, give us some more details to try and isolate the problem a bit. Have you tried to capture any of the packets to see where they were destined for, seen if there is any other rogue traffic on your net (ie at a relatively quiet time sniff you net and see if there are any servers trying to connect to you or anything inside trying to connect to something out of the ordinary on the outside (ie an IRC server, as is common for DDOS clients.)
Hope this helps,
Paul
Hopefully when you built these machines, you noted or you know now what ports are supposed to be open. Take a look at 'netstat -na' and see what ports are actually open. Granted if you did get compromised, these may not show up, so port scan your servers and see if they see any rogue servers.
As far as I know, most of the common DOS agents work on Win2k also. You are going to have to do some serious recon work on these servers. Note the open ports, the running services, server load and where that load is coming from.
If this doesn't point you in the right direction, give us some more details to try and isolate the problem a bit. Have you tried to capture any of the packets to see where they were destined for, seen if there is any other rogue traffic on your net (ie at a relatively quiet time sniff you net and see if there are any servers trying to connect to you or anything inside trying to connect to something out of the ordinary on the outside (ie an IRC server, as is common for DDOS clients.)
Hope this helps,
Paul
- Thread starter
- #3
The servers were creating major ICMP (hosts?) traffic as reported by our upstream provider. We blocked all outbound ICMP traffic at the router from the affected servers and that solved the problem. But when we look at the router to see dropped packets from the servers, there was none.
The outbound traffic was going to random IP addresses. We are digging into the servers to see if we can find what was causing it.
The outbound traffic was going to random IP addresses. We are digging into the servers to see if we can find what was causing it.
iSeriesCodePoet
Programmer
I would also run a virus scan, it may pick up the zombie (DDOS Client) that you have running on your machine.
Mike Wills
RPG Programmer
"I am bad at math because God forgot to include math.h into my programming!"
Please let us (Tek-Tips members) know if the solutions I provide are helpful to you. Not only do my posts help you but they may help others.
Mike Wills
RPG Programmer
"I am bad at math because God forgot to include math.h into my programming!"
Please let us (Tek-Tips members) know if the solutions I provide are helpful to you. Not only do my posts help you but they may help others.
- Status
Similar threads
- Locked
- Question
- Locked
- Question