Results 1 to 2 of 2
Hi, I run a Centos server that quite a few people have access to. I trust every user on the system, but i've had problems before like one user's account ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
- 10-16-2010 #1
- Join Date
- Jul 2009
System/script to detect outgoing DOS flood?
- 10-18-2010 #2
This kind of thing is hard to find out. There are several kind of DOS attacks and each is different. I know of no software/tool that could detect that easily cause there (probably) is no deterministic way to determine if the computer is being used for a (d)dos attack. all detectino modes that I can think of would produce a high level of false alarms. To list some:
- monitor used outgoing bandwidth
- monitor actual packet count
- monitor packet rate for specific protocols that often are used for DOS attacks (i.e. http, https, icmp, dns, ..)
- monitor logged in users, their connected timespan and the source ip for their login
with these you can determine what is normal and identify some treshold later that identifies a alarm or detect if a user on your system was hijacked. But I really don't think that this system would really work. If this system raises a false alarm each day it is just as useful as no alarm cause you would probably not investigate into a real alarm. Who really wants to investigate every day if a false alarm was a real alarm?
I would regard the hijack-prevention as a more realistic approach to this problem. Good countermeasures are:
- force all your users to use a very safe password that is hard to bruteforce
- force all your users to use ssh keys over passwords [and when one user logs in with a password, raise alarm cause you know it is none of your trusted users]
- use fail2ban to prevent bruteforce attacks to be successful; in combination with a good password I consider a system being safe (unless there is some bogus/bug that can work around the login)
Last edited by Kloschüssel; 10-18-2010 at 10:09 AM.