• Is this a DOS attack?

    From gamo@110:110/2002 to All on Sat Jul 5 06:17:15 2014

    I run tcpdump and find this information

    1016 packets captured
    6308 packets received by filter
    4939 packets dropped by kernel

    TIA


    --
    http://www.telecable.es/personales/gamo/

    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: Aioe.org NNTP Server (110:110/2002@linuxnet)
  • From Tauno Voipio@110:110/2002 to All on Sat Jul 5 11:31:21 2014
    On 5.7.14 09:17, gamo wrote:

    I run tcpdump and find this information

    1016 packets captured
    6308 packets received by filter
    4939 packets dropped by kernel

    TIA


    This says only something about the amount of traffic.

    Have a look at the firewall logs, you can start with:

    /var/log/syslog
    /var/log/messages.

    To me it seems normal cracker portscan activity, most
    of which is sent directly to the bit bucket.

    --

    Tauno Voipio



    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: A noiseless patient Spider (110:110/2002@linuxnet)
  • From Johannes Bauer@110:110/2002 to All on Sat Jul 5 16:45:53 2014
    On 05.07.2014 13:31, Tauno Voipio wrote:
    On 5.7.14 09:17, gamo wrote:

    I run tcpdump and find this information

    1016 packets captured
    6308 packets received by filter
    4939 packets dropped by kernel

    So you captured some packets and lost others, probably due to high CPU
    load. To answer your question, no, this is NOT an indication of a DoS
    attack.

    To me it seems normal cracker portscan activity, most
    of which is sent directly to the bit bucket.

    What? How would you even get that idea? He's not even supplied what he's filtering on! You must have a remarkable crystal ball to be able to see
    inside a PCAP from just looking at how many packets are captured and
    dropped.

    Cheers,
    Johannes

    --
    Wo hattest Du das Beben nochmal GENAU vorhergesagt?
    Zumindest nicht ”ffentlich!
    Ah, der neueste und bis heute genialste Streich unsere groáen
    Kosmologen: Die Geheim-Vorhersage.
    - Karl Kaos ber Rdiger Thomas in dsa <hidbv3$om2$1@speranza.aioe.org>

    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: albasani.net (110:110/2002@linuxnet)
  • From Tauno Voipio@110:110/2002 to All on Sat Jul 5 18:35:11 2014
    On 5.7.14 19:45, Johannes Bauer wrote:
    On 05.07.2014 13:31, Tauno Voipio wrote:
    On 5.7.14 09:17, gamo wrote:

    I run tcpdump and find this information

    1016 packets captured
    6308 packets received by filter
    4939 packets dropped by kernel

    So you captured some packets and lost others, probably due to high CPU
    load. To answer your question, no, this is NOT an indication of a DoS
    attack.

    To me it seems normal cracker portscan activity, most
    of which is sent directly to the bit bucket.

    What? How would you even get that idea? He's not even supplied what he's filtering on! You must have a remarkable crystal ball to be able to see inside a PCAP from just looking at how many packets are captured and
    dropped.

    Cheers,
    Johannes


    No, it was just a wild guess, based on the info given.

    There is a prettu cinstant flow of portscans to nearly
    all computers directly connected to the Net.

    Want a piece of my firewall log?

    --

    -TV


    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: A noiseless patient Spider (110:110/2002@linuxnet)
  • From gamo@110:110/2002 to All on Sat Jul 5 19:39:54 2014
    El 05/07/14 18:45, Johannes Bauer escribi¢:
    1016 packets captured
    6308 packets received by filter
    4939 packets dropped by kernel

    So you captured some packets and lost others, probably due to high CPU
    load. To answer your question, no, this is NOT an indication of a DoS
    attack.


    Is it normal? To drop five packets to get one useful?

    --
    http://www.telecable.es/personales/gamo/

    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: Aioe.org NNTP Server (110:110/2002@linuxnet)
  • From Doug Laidlaw@110:110/2002 to All on Mon Jul 7 22:16:54 2014
    gamo wrote:

    El 05/07/14 18:45, Johannes Bauer escribi¢:
    1016 packets captured
    6308 packets received by filter
    4939 packets dropped by kernel

    So you captured some packets and lost others, probably due to high CPU
    load. To answer your question, no, this is NOT an indication of a DoS
    attack.


    Is it normal? To drop five packets to get one useful?

    Yes, it is normal. It says somewhere that when packets are dropped by the kernel, they didn't make it to the output. That is all. Whether those figures are normal, I can't say, but Johannes says it is normal.

    A DoS attack means "Denial of Service." Is there anybody who would want to block you?

    A DoS attack has to have a motive. Is your address of such value to justify one? Ancestry.com is still recovering from an attack that had a ransom
    demand associated.



    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: Aioe.org NNTP Server (110:110/2002@linuxnet)
  • From Marc Haber@1:0/0 to All on Tue Jul 8 05:50:29 2014
    gamo <gamo@telecable.es> wrote:
    I run tcpdump and find this information

    1016 packets captured
    6308 packets received by filter
    4939 packets dropped by kernel

    This is impossible to say with this tiny amount of information.

    Greetings
    Marc
    --=20
    -------------------------------------- !! No courtesy copies, please !! =
    -----
    Marc Haber | " Questions are the | Mailadresse im =
    Header
    Mannheim, Germany | Beginning of Wisdom " | =
    http://www.zugschlus.de/
    Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 =
    72739834

    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: private site, see http://www.zugschlus.de/ f
  • From gamo@110:110/2002 to All on Tue Jul 8 19:11:58 2014
    El 08/07/14 07:50, Marc Haber escribi¢:
    gamo <gamo@telecable.es> wrote:
    I run tcpdump and find this information

    1016 packets captured
    6308 packets received by filter
    4939 packets dropped by kernel

    This is impossible to say with this tiny amount of information.

    Greetings
    Marc


    Thanks, anyway.

    --
    http://www.telecable.es/personales/gamo/

    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: Aioe.org NNTP Server (110:110/2002@linuxnet)