E 'morning, but very late. You get up and you know that today is a special day. And 'Saturday and then have a nice day of relaxation before and Cazzeggio.
You walk to the coffee machine but a glance will fall on your mobile. Turn on or turn it on. This is the dilemma. Of course I turn it on, it's Saturday and everything is perfect.
Beep, Beep. ... Beep, Beep ... .7 unanswered calls. CEO of MICS, connects 1, link 2, link 3, client 1, client 2, client 3.
Ok, the coffee is back on Saturday to relax and cazzeggiando is delayed. I'm going to have a deja-vu. Something bad has happened in Micso.
Time to connect and to call his holiness, the CEO of the firm where I work. From background noise immediately sensed that lies in the server farm and then the situation is tragic, it's worse!
In essence it seems that the firewall that manages and protects the nosta network is blocked.
Well, it starts. Aim of the game: to understand where is the problem and restart the network. The enemies are: time, network complexity and the fact that currently there is remote and therefore unable to gain access to any machine, firewall complete.
Let's see how to proceed.
Step 1 - Shutdown and reboot
Like any good computer, I know the basic rule of any game. If a computer does not work you probably crashed some service or the kernel. It turns off and on again, hoping that the problem will magically resolve itself.
I therefore give the reboot from our CEO to the firewall and look at your fingers crossed.
The response is that the machine is broken down, but got to the loading of firewall rules seems as if it is loading a rule at a time with extreme slowness.
From where the car crashed to start it soon becomes clear that the problem is not software but is on the network. Undoubtedly, somewhere, they're getting a abnormal amount of data, so enormous that the firewall can not make it to manage and then collapse.
The next step is obvious.
Step 2 - Disconnect all
I disconnect all network cables from the firewall that immediately catch your breath. Ok. They begin to hang up the network cables. Very slowly
Before the power of our personal cars to work. Everything ok. The firewall still works. Then the cable to the Internet. Still all ok. Now I can finally fall in the firewall.
Finally the cable to the server farm. Buummmm, crashhh, whishhhhhh. Not rifunziona nothing. Ok, the problem was, as anticipated in the server farm.
Undoubtedly there is some machine that is doing casino inside out. This was easy to guess why the attack came from outside if there would be enough bandwidth to saturate and kill the firewall, and then because the firewall would have crashed immediately just hung up the cable to the Internet. But it crashed now.
Given the impossibility of working on the firewall with the network cable connected to the server farm, to understand who and what's slowing down everything, you have to go step by step.
Step 3 - Identify the service under attack
First, let's see if there is a particular service use in acute.
Iptraf active on the firewall, I start listening on to the server farm for ten seconds and I attach the network cable disconnect immediately after making to regain control of the firewall.
The result is obvious.
Someone is doing the naughty on port 53 that is doing a flood of requests on DNS. Let's see who.
Step 4 - Identify the attackers
Doing that is now very simple. We run a tcpdump on the firewall to listen on the network interface of the server farm that scans all incoming packets to and from port 53 and we write everything on a file.
tcpdump -i eth1 -w tcpdump_attacco.dump port 53
Attack the network cable to the server farm for ten seconds and remove to regain control of the firewall. Download the file to your PC at home and got analizziamolo with Wireshark.
Oh, we finally have an IP and then the culprit.
You should have heard, by phone, screaming to the administrator: "Unplug the network cable from that machine, turn it off, burn !!!!!!".
Now that the entire network is back to 100% active, to see if our Saturday or we start to relax only one-tenth of the work you have to understand if the car is ours or is a housing for a client.
If the car is ours, are painful, as we must understand why the car is doing all of this mess, and given that the explanation is one, someone who has succeeded in making some inroads in some vulnerability of the car, took control and now has transformed it into a "monster", we must understand how it came, what other damage was done and how to fix the problem. Then figure out who is responsible for leaving our car with a vulnerability open. A hollow weekend track
Luckily the car is not ours but of our client. Them off and then stays off. Someone will receive a phone call on Monday not so happy by myself
Told so it seems as if the thing has been resolved in ten minutes. Actually from the first moment of panic-mode, the second time like "I do not remember this network interface where it goes" and the third time when you go to "ignore-mode = on" it took nearly hour to deal with them.
Oh well, the important thing is that now the 'real' may start Saturday.
5 Responses to "Your network is under attack? Always on Saturday morning. "
Leave a comment
/ me runs
- Tour San Giovanni, San Giuseppe
- Controguerra by the Cemetery - 4 laps
- Replication of the race of San Martino
- Corropoli through the center
- Corropoli through the center
- Replication of the race of San Martino
- Basic Life Support and Defibrilation laugh
- Understanding heart attacks thanks to YouTube
- After a delay of 465 days, all the videos of IPW2008
- From tomorrow and peer to peer file sharing legal
- Merry Christmas 2009
- Trenitalia, from commercials to harsh reality
- Fun pictures from 9Gag
- All photos of the simulation of Pineto
- WiFi in Pescara? The origins of evil
- Why this USB serial adapter not working?
- America's Army (6)
- Lan Party (3)
- Controguerra (35)
- Green Cross (7)
- devTv.eu (6)
- events (35)
- Physics (4)
- howto (2)
- Humor (69)
- Internet (8)
- Iphone (10)
- linux (6)
- Linux Pro (3)
- Captive Portal (3)
- Medicine (2)
- Micso (44)
- Modding (17)
- News (13)
- politics (4)
- As part of ... (2)
- Press review (3)
- Recenzioni (29)
- RFID (1)
- Reflections (28)
- sports (28)
- Telug (1)
- Video (52)
- Real life (41)
- Web (29)
- Windows (9)
- Wireless (17)
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
Most Viewed Articles
- Open file OpenDocument (ODF) with Microsoft Office 2003 and 2007 - 19,957 visits
- Verbatim MediaStation Pro, review and resolution problems - 16,645 visits
- Track event in San Martin 2008 - Controguerra - 6098 hits
- The witch brought me a WalledPC - 5662 hits
- Acer Aspire One with Windows XP - Purchased - 5129 hits
- All with the asshole white thanks to anal bleaching. - 4124 hits
- Garmin Forerunner 305, road test - 3731 hits
- I gemboy on Colorado Cafè with Poker cleft. Impossible! - 3630 hits
- Wii Fit / Wii Balance Board - Review - 3102 hits
- Garmin Forerunner 305, virtual opponent - 2252 hits
- The cinepanettone wins. That old-fashioned I am. On December 18 Avatar around the world. In Italy no, there's Christmas in Beverly Hills
- Basic Life Support and Defibrilation to laugh about Understanding myocardial thanks to YouTube
- Merry Christmas 2009 on Merry Christmas 2007
- Emiliano Bruni on A helicopter monitored the iPhone
- Fabio13 on A helicopter monitored the iPhone