Hi, Im wondering if there are ways of showing DOS attacks .. eg with a command in ssh like netstat and what "counter-measures" i can use if i do get DOS'd.

Thanks in advance, as any help is usefull

Villan

There is no command to show a Dos attack that I know of.. There is a firewall out that will help to pervent attacks but it's $10,000 and I don't remember what one it is...

There are several utilities that you may use to view your server's traffic which may help you to check if you're attacked, ie tcpdump trafshow tcpstat iftop etc

Regarding firewall hardware that computerguy mentioned, if you're receiving attacks you may try sharktech's filtering services, instead of buying your own firewall.

Don't waste your time or money on a firewall when it comes to DDOS attacks.

DDOS attacks can bring down select servers fast and easy, BUT if you have maultipul servers in differnt places your network will still servive.

DDOS attacks are unpreventable because they happen, and don't let people rip you off trying to sell you a firewall that "stops" DDOS attacks.

Only thing you can really do to prevent DDOS is not piss people off, or get a larger network so you don't feel the effects as much.

Keith,
I agree with you that trying to not piss off people may prevent you from receiving some of the attacks, but not all of them as things aren't that simple. There are billion reasons that someone may establish an attack against your business especially if there is a lot of competition, so you cannot always prevent people from hitting you.

However I disagree with your statement "don't let people rip you off trying to sell you a firewall that stops DDOS attacks" - A very well configured network firewall can really help on decreasing or even totally eliminate DDoS attacks' effects. If network firewalls with proper network topologies could not stop attacks, then Internet would no longer exist.

So I don't see what is the problem of using firewalls, unless you meant some cheap PCI cards that people advertise claiming that it will stop any kind of attacks, which I wouldn't even describe as "firewalls". I've never used these PCI "firewall" products, but I really doubt they can fully replace a firewall.

psyxakias
I don't agree with "A very well configured network firewall can really help on decreasing or even totally eliminate DDoS attacks' effects. If network firewalls with proper network topologies could not stop attacks, then Internet would no longer exist."

If the person doing the attack has a large enough amount of pactet's or BotNet then anything is possible. If you can rouate pacets off with the firewall then ok maybe it helps but if it's not a newbie attack then your site will go down.

Keith, there is no doubt that it depends how big attack the attack is and what's the firewall's specifications, but generally saying "anything is possible" doesn't cover me. There are firewalls that can defend against huge ddos botnet attacks as long as they don't reach their bps/pps limits, without even blocking IPs or Ports. But generally claiming that firewalls cannot do anything and that people who sell them are trying to rip people off, isn't really right.

Anyway I'm not planning to start arguing about what firewalls can and cannot do. Everybody can have his/her own opinion which is respected and I believe we both clearly showed our point on this discussion.

Villan, so how did it go? Did you try the utilities I recommended you? Did they help you checking if you're attacked?

Dos attacks can be stopped if your network config is proper. Between routers, firewalls, etc you can filter them out pretty easily. If that wasn't the case both microsoft and google would still be down right now since they get attacked pretty much 24/7 365.

well .. ive tried tcpstat and tcpdump

they are both good while the server is up and functioning properly, but as i found 5 mins ago, even a small dos slowed it down

(i think it was a dos)
CPU0 states: 87.0% user 12.0% system 0.0% nice 0.0% iowait 0.0% idle
CPU1 states: 0.0% user 100.0% system 0.0% nice 0.0% iowait 0.0% idle

it was lagging me off, and both my irc and bouncer pinged out. i managed to get that ^^ when i got into the shell for about 30 seconds.

everything is back now though.

can you give me an example of what id expect to see on tcpstat if i was being dossed?

thanks

Villan