RE: DOS attack from AS

A combination of tcpdump + wireshark will solve this for you as well.  As soon 
as the dos starts, capture a pile of network traffic on the app server, and 
take a look at who is connecting.  Wireshark even knows how to parse all sorts 
of traffic.

Thanks,
Matt

--
Matthew Zito
Chief Scientist
GridApp Systems
P: 646-452-4090
mzito@xxxxxxxxxxx
http://www.gridapp.com



-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx on behalf of Job Miller
Sent: Thu 5/29/2008 11:32 AM
To: Louis.Brouillette@xxxxxxx; oracle-l@xxxxxxxxxxxxx
Subject: Re: DOS attack from AS
 
Oracle.com experiences this also.
 
Take a look at page 9 of this document:
 
http://www.oracle.com/technology/products/oem/pdf/twp_uxinsight_implementation_case_study.pdf
 
It talks about how Oracle uses UXInsight to see the impact on performance of 
this and identify the offenders, by IP (and other network packet data collected 
from the attacking packets)
 
interesting stuff.
 
Job


Louis BROUILLETTE <Louis.Brouillette@xxxxxxx> wrote:

        Once in a while (maybe once a month), our intranet is a victim of 
        what I would call a DOS. Our application server (AS 10.1.2.2) 
        receives hundreds of requests (all the same request with the same 
        parameters) from the a user in a few minutes for a modplsql 
        application. It's impossible for a person to send so much requests 
        in that period of time. It floods the db (10.2.0.3) and everyone hangs.
        
        Each time, it's a different user. Our PC experts scanned the PCs 
        with a variety of antivirus and anti-spyware but found nothing 
        suspicious. Anyone else have experienced something like that ?
        
        Louis Brouillette
        Analyste en informatique (DBA)
        Universite du Quebec a Trois-Rivieres
        Tel: (819) 376-5011 ext. 2435
        Email: brouille@xxxxxxx 
        
        --
        http://www.freelists.org/webpage/oracle-l

Other related posts: