LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 07-19-2011, 08:06 AM   #1
finkelstein
LQ Newbie
 
Registered: Jul 2011
Location: NGC 891
Distribution: Fedora 15
Posts: 4

Rep: Reputation: Disabled
ddos network traffic monitor graphs


Greetings,
Just need some help on interpreting some network traffic data which was captured during a DDos. It was mailed to be from a friend who runs the server, but perhaps a more learned interpretation would help my understanding of the situation.
Here are two screenshots :

http://i51.tinypic.com/2emzsj4.jpg

http://i53.tinypic.com/2pyrmtu.jpg

I have limited knowledge on the subject but from first hand it seems to me that the server is poorly configured as such low number of requests / traffic shouldn't have been able to bring the site down. Going on the data represented in the graphs what conclusions could one draw on the efficiency of server config to prevent such attacks in future. Is it indeed badly configured ?
As a novice in suck matters any feedback would definitely help with my understanding on the subject.

All feedback very welcome.

Finkelstein
 
Old 07-19-2011, 09:37 AM   #2
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 3,894

Rep: Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774
Are you sure that it is a true DDoS? You certainly can't tell from those graphs. And something like slow_loris can bring down a server with very low traffic rates and can look quite similar to a DDoS.

Anyway, it probably is a sub-optimal configuration, but what kind you couldn't really tell without a load more detail.
 
Old 07-19-2011, 10:05 AM   #3
finkelstein
LQ Newbie
 
Registered: Jul 2011
Location: NGC 891
Distribution: Fedora 15
Posts: 4

Original Poster
Rep: Reputation: Disabled
Thanks salasi,
So what could have been responsible for the blue peak and what does this actually represent in terms of request volumes ? It does look quite menacing in pic1.
 
Old 07-19-2011, 11:29 AM   #4
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 3,894

Rep: Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774Reputation: 774
Err, almost anything. It could be a DoS, it could be a DDoS (and given that the counter measures could be far simpler for a DoS, it is not merely an idle, semantic, distinction) it could be something to do with the site content (assuming that it has content - you haven't said whether it does, but it is a strong possibility) it could be anything that makes this content suddenly more popular, it could be a massively popular site mistakenly linking to your site.

As you seem to be unwilling to add the kind of evidence (any?) that has either persuaded you or could persuade someone else that this is a DDoS, is there really any point in carrying on with this thread?
 
Old 07-19-2011, 11:40 AM   #5
finkelstein
LQ Newbie
 
Registered: Jul 2011
Location: NGC 891
Distribution: Fedora 15
Posts: 4

Original Poster
Rep: Reputation: Disabled
Sorry for being so vague salasi. The site does have content I was told it was a very hard DDos but judging by the basic stats in the graphs I can't think it could have been that large an attack ? I was just wanting to know what someone with expert knowledge or experience could make of the data in the graphs.

finkelstein
 
Old 07-19-2011, 04:01 PM   #6
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
You don't use graphs to investigate possible DoS and DDoS activity. And you wouldn't believe how many people that visit the forums think they're under attack when it's something else entirely (as salasi mentioned above).

A simple search of these forums should help you a bit with using the proper tools and assessment of denial-of-service-like activity. Once that is done, supply some supporting information that isn't a chart. Do this and you'll be helping the people that want to help you investigate.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
To Monitor network Traffic siva19185 Linux - Newbie 6 06-28-2008 02:23 AM
Network traffic monitor Lzolcsi Linux - Server 9 05-07-2007 08:23 AM
LXer: Darkstat - Network Traffic Analyzer or Network Monitor LXer Syndicated Linux News 0 07-04-2006 08:33 AM
monitor network traffic use kbandwidth raynet Linux - Software 0 02-19-2005 07:09 AM
Network traffic monitor teeno Linux - Software 2 09-29-2003 09:18 AM


All times are GMT -5. The time now is 10:14 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration