RE: DOS attack from AS

From: Matthew Zito <mzito_at_gridapp.com>
Date: Fri, 30 May 2008 00:41:15 -0400
Message-ID: <C0A5E31718FC064A91E9FD7BE2F081B1D51DAF@exchange.gridapp.com>

A combination of tcpdump + wireshark will solve this for you as well. As soon as the dos starts, capture a pile of network traffic on the app server, and take a look at who is connecting. Wireshark even knows how to parse all sorts of traffic.

Thanks,
Matt

--

Matthew Zito
Chief Scientist
GridApp Systems
P: 646-452-4090
mzito_at_gridapp.com
http://www.gridapp.com

-----Original Message-----

From: oracle-l-bounce_at_freelists.org on behalf of Job Miller Sent: Thu 5/29/2008 11:32 AM
To: Louis.Brouillette_at_uqtr.ca; oracle-l_at_freelists.org Subject: Re: DOS attack from AS  

Oracle.com experiences this also.  

Take a look at page 9 of this document:  

http://www.oracle.com/technology/products/oem/pdf/twp_uxinsight_implementation_case_study.pdf  

It talks about how Oracle uses UXInsight to see the impact on performance of this and identify the offenders, by IP (and other network packet data collected from the attacking packets)  

interesting stuff.  

Job

Louis BROUILLETTE <Louis.Brouillette_at_uqtr.ca> wrote:

	Once in a while (maybe once a month), our intranet is a victim of 
	what I would call a DOS. Our application server (AS 10.1.2.2) 
	receives hundreds of requests (all the same request with the same 
	parameters) from the a user in a few minutes for a modplsql 
	application. It's impossible for a person to send so much requests 
	in that period of time. It floods the db (10.2.0.3) and everyone hangs.
	
	Each time, it's a different user. Our PC experts scanned the PCs 
	with a variety of antivirus and anti-spyware but found nothing 
	suspicious. Anyone else have experienced something like that ?
	
	Louis Brouillette
	Analyste en informatique (DBA)
	Universite du Quebec a Trois-Rivieres
	Tel: (819) 376-5011 ext. 2435
	Email: brouille_at_uqtr.ca 
	
	--
	http://www.freelists.org/webpage/oracle-l
	
	
	




--

http://www.freelists.org/webpage/oracle-l Received on Thu May 29 2008 - 23:41:15 CDT

Original text of this message