New on LowEndTalk? Please Register and read our Community Rules.
[How?] Prove of attacks
So I am wondering how to prove an attack was happened? Let's say a UDP flood, my imagination is putting a bunch of packet logs, grep the IP and count the packet, then pack this as "proof". But I assume there's a more decent way to approach the gather of proofs and evidences?
Comments
We normally sample flows of 100 packets to particular server before we start the attack mitigation.
The flows are then sent to the Customer as proof of necessary.
Hello,
If you can assign a server to this you can also use a network monitoring software such a Inmon.
tcpdump gives a nice output by default that most people have no issues reading, and also produces .pcap files if needed.
tcpdump udp and ip host x.x.x.x
a powerful command-line packet analyzer..
sflow.
However, if the customer does not believe it, it is best to part ways, it means the trust is gone and in most cases, the customer will continue to contest any evidence instead of removing the DDoS magnet service or purchase mitigation services.
Right !
Yup. If the customer truly believes that you have nothing better to do than manually reconstruct packets or flows then it's time for them to become somebody else's customer.
Nothing to do with UDP floods, but tcpdump/wireshark in general,
How to prove someone is spamming:
tcpdump -vv -x -X -i eth0 'src host x.x.x.x and port 25 or host x.x.x.x and port 25' -w mail.pcap
Have client read all the reject messages in Wireshark.
Nah, simply linking a site where his IP is blacklisted in many lists is enough, no need to do anything more, you dont want them to remain your customers most of the time. The people with compromised VMs and all, old customers in good standing for months or years, will acknowledge the situation and solve it, no need to show anything else.