Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

[How?] Prove of attacks
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

[How?] Prove of attacks

lifehomelifehome Member
in General

So I am wondering how to prove an attack was happened? Let's say a UDP flood, my imagination is putting a bunch of packet logs, grep the IP and count the packet, then pack this as "proof". But I assume there's a more decent way to approach the gather of proofs and evidences?

Comments

  • ClouviderClouvider Member, Patron Provider

    We normally sample flows of 100 packets to particular server before we start the attack mitigation.

    The flows are then sent to the Customer as proof of necessary.

    Thanked by 1lifehome
  • IkoulaIkoula Member, Host Rep
    edited June 2015

    Hello,

    If you can assign a server to this you can also use a network monitoring software such a Inmon.

  • linuxthefishlinuxthefish Member
    edited June 2015

    tcpdump gives a nice output by default that most people have no issues reading, and also produces .pcap files if needed.

    tcpdump udp and ip host x.x.x.x

  • spinvpsspinvps Member, Host Rep

    @linuxthefish said:
    tcpdump gives a nice output by default that most people have no issues reading, and also produces .pcap files if needed.

    tcpdump udp and ip host x.x.x.x

    a powerful command-line packet analyzer..

    Thanked by 1linuxthefish
  • MaouniqueMaounique Host Rep, Veteran
    edited June 2015

    sflow.

    However, if the customer does not believe it, it is best to part ways, it means the trust is gone and in most cases, the customer will continue to contest any evidence instead of removing the DDoS magnet service or purchase mitigation services.

    Thanked by 3wych Clouvider Infinity
  • anthony1anthony1 Member

    @Maounique said:

    However, if the customer does not believe it, it is best to part ways, it means the trust is gone and in most cases, the customer will continue to contest any evidence instead of removing the DDoS magnet service or purchase mitigation services.

    Right !

  • doverlanddoverland Member

    However, if the customer does not believe it, it is best to part ways, it means the trust is gone and in most cases, the customer will continue to contest any evidence instead of removing the DDoS magnet service or purchase mitigation services.

    Yup. If the customer truly believes that you have nothing better to do than manually reconstruct packets or flows then it's time for them to become somebody else's customer.

  • TACServersTACServers Member
    edited June 2015

    Nothing to do with UDP floods, but tcpdump/wireshark in general,

    How to prove someone is spamming:

    tcpdump -vv -x -X -i eth0 'src host x.x.x.x and port 25 or host x.x.x.x and port 25' -w mail.pcap

    Have client read all the reject messages in Wireshark.

  • MaouniqueMaounique Host Rep, Veteran

    @cncking2000 said:
    How to prove someone is spamming:

    tcpdump -vv -x -X -i eth0 'src host x.x.x.x and port 25 or host x.x.x.x and port 25' -w mail.pcap

    Have client read all the reject messages in Wireshark.

    Nah, simply linking a site where his IP is blacklisted in many lists is enough, no need to do anything more, you dont want them to remain your customers most of the time. The people with compromised VMs and all, old customers in good standing for months or years, will acknowledge the situation and solve it, no need to show anything else.

    Thanked by 1Zen
Sign In or Register to comment.