Re: DOS attack from AS
Date: Fri, 30 May 2008 09:01:08 -0700 (PDT)
I'm guessing you were always too late to catch the DOS. If that's not the case, we can easily find out who and what is doing it. A simple netstat -an or tail -f Apache access log is all you need on the server side. Then go to the client. This may be harder than expected. Knowing the IP doesn't necessarily mean where to go. nbtstat -A <IP> may reveal more info, sometimes users logged onto the client Windows box. Search for the IP or its hostname in Intranet site may help too. On the client, netstat -ano to find the process connecting to your server. Find the full path of the process with Process Explorer or tlist.
> Date: Thu, 29 May 2008 10:36:21 -0400
> From: Louis BROUILLETTE <Louis.Brouillette_at_uqtr.ca>
> Subject: DOS attack from AS
> Once in a while (maybe once a month), our intranet is a victim of
> what I would call a DOS. Our application server (AS 10.1.2.2)
> receives hundreds of requests (all the same request with the same
> parameters) from the a user in a few minutes for a modplsql
> application. It's impossible for a person to send so much requests
> in that period of time. It floods the db (10.2.0.3) and everyone hangs.
> Each time, it's a different user. Our PC experts scanned the PCs
> with a variety of antivirus and anti-spyware but found nothing
> suspicious. Anyone else have experienced something like that ?
> Louis Brouillette
> Analyste en informatique (DBA)
> Universite du Quebec a Trois-Rivieres
> Tel: (819) 376-5011 ext. 2435
> Email: brouille_at_uqtr.ca