RE: DOS attack from AS
Date: Fri, 30 May 2008 00:41:15 -0400
Message-ID: <C0A5E31718FC064A91E9FD7BE2F081B1D51DAF@exchange.gridapp.com>
A combination of tcpdump + wireshark will solve this for you as well. As soon as the dos starts, capture a pile of network traffic on the app server, and take a look at who is connecting. Wireshark even knows how to parse all sorts of traffic.
Thanks,
Matt
--
Matthew Zito
Chief Scientist
GridApp Systems
P: 646-452-4090
mzito_at_gridapp.com
http://www.gridapp.com
-----Original Message-----
From: oracle-l-bounce_at_freelists.org on behalf of Job Miller
Sent: Thu 5/29/2008 11:32 AM
To: Louis.Brouillette_at_uqtr.ca; oracle-l_at_freelists.org
Subject: Re: DOS attack from AS
Oracle.com experiences this also.
Take a look at page 9 of this document:
http://www.oracle.com/technology/products/oem/pdf/twp_uxinsight_implementation_case_study.pdf
It talks about how Oracle uses UXInsight to see the impact on performance of this and identify the offenders, by IP (and other network packet data collected from the attacking packets)
interesting stuff.
Job
Louis BROUILLETTE <Louis.Brouillette_at_uqtr.ca> wrote:
Once in a while (maybe once a month), our intranet is a victim of what I would call a DOS. Our application server (AS 10.1.2.2) receives hundreds of requests (all the same request with the same parameters) from the a user in a few minutes for a modplsql application. It's impossible for a person to send so much requests in that period of time. It floods the db (10.2.0.3) and everyone hangs. Each time, it's a different user. Our PC experts scanned the PCs with a variety of antivirus and anti-spyware but found nothing suspicious. Anyone else have experienced something like that ? Louis Brouillette Analyste en informatique (DBA) Universite du Quebec a Trois-Rivieres Tel: (819) 376-5011 ext. 2435 Email: brouille_at_uqtr.ca -- http://www.freelists.org/webpage/oracle-l
--
http://www.freelists.org/webpage/oracle-l
Received on Thu May 29 2008 - 23:41:15 CDT