At certain times for various reasons DePaul University has seen its fair share of denial of service attacks. On occasion we find boxes that have been compromised in attempt to setup a DoS agent and sometimes we are the recipient of DoS traffic. This page documents some of those attacks.
On Saturday April 7, 2001, I received a page about our Internet link having problems. Initially I could not get to DePaul hosts from where I was (coming from outside the public Internet). All indications based on help desk troubleshooting was that our border was up, but as soon as anything tried to cross into the public Internet it was dead in the water. I immediately placed a call to our upstream provider to see if they were experiencing any problems. As I was waiting waiting for a technician, I was finally able to pull up some of our network statistics pages, although that was painstakingly slow. However, when I saw our stats, I knew what was wrong right away.
The following graph shows utilizaton on our border router for a 24-hour period. Green is the traffic coming in from the Internet and blue is going out. Notice how inbound is peaked and outbound has almost completely stopped for the 2-hour period between 1600 hours and 1800 hours. The total link capacity at the time of the incident was 18 Mb/s.
| Max In: | 18.9 Mb/s (99.7%)
|
| Average
In: |
8503.4 kb/s (44.9%)
|
| Current
In: |
9933.9 kb/s (52.4%) |
|
| Max Out: | 18.9 Mb/s (99.9%) | Average Out: | 14.8 Mb/s (78.4%) | Current Out: | 17.6 Mb/s (93.1%) |
Compare with the weekly view of statistics to see the anomaly.
| Max In: | 18.8 Mb/s (99.4%)
|
| Average
In: |
8652.0 kb/s (45.7%)
|
| Current
In |
7868.8 kb/s (41.5%) |
|
| Max Out: | 18.9 Mb/s (99.6%) | Average Out: | 13.5 Mb/s (71.3%) | Current Out: | 15.3 Mb/s (81.0%) |
The following graph shows protocol statistics for the April 7th 24-hour period. Inbound traffic lies below the zero x-axis and outbound traffic lies above the zero x-axis. Normally TCP comprises 95% or more of both inbound and outbound traffic. As shown in this graph, all inbound traffic pears to be entirely ICMP based during the time period of 1600 and 1800 hours.
Finally, here is a picture of the flow statistics during the same 24-hour period. Notice that there appears to be about 20 different flows (IP address and TCP port pairs) involved in sending ICMP traffic.
An ICMP based attack was focused against a single internal host. Our upstream put a filter to block all traffic to that host, which effectively fixed our traffic problems. Upon investigation we found that the host the attack targeted had been compromised. There was evidence of IRC traffic from our compromised host as well. It appears that the intruder had probably upset someone or some people in an IRC chat session to spurn the launch of an attack against him or her.
Last updated: June 9, 2001