DOS attack, DNS question

Disaster Recovery
Incident response
Information risk management
Intrusion management
IT architecture
Managed security services
Network security
PEN testing
Platform Security
Product/service procurement
Risk management
Security management
Security products
Security Program Management
vulnerability management
My question has two parts, first: today at the place where i work we lost the internet, and after checking the firewall (sonicwall, this is a non profit organization so they cant afford the best stuff) i discovered it was more than likely a DOS attack. nobody could access the internet, and i could not connect to the firewall because of the amount of data being sent on the network. what would be the best way to access the firewall, and what can i do to make sure this does not happen again. Also if anyone can help me out with this second question one of the computers i configured for a user today would not access the internet. the ip address, and default gateway were configured correctly in the tcp/ip settings box, along with DNS primary and alternate. but when i tried to access the internet it would give me the web page not available message. i could ping the default gateway, the local host, but nothing on the web, also i could not ping the DNS server. this was before we lost internet.

Answer Wiki

Thanks. We'll let you know when a new response is added.

Howdy! SonicWall is actually pretty good. Not like Firewall-1, but still pretty good. I own several, but have also worked on tons of other stuff.

The SonicWall has a log. Have you looked at it?

If you had trouble reaching the firewall inside, I’d suspect virus or worm activity before I’d suspect a DOS (Denial Of Service) – since a DOS is typically applied from the outside.

You didn’t say how many systems you have, but it’s probably not that many.

Get a copy of Ethereal/Windump and monitor the actual traffic – I’ll bet Dollars to Donuts that it will be from a handfull of infected machines.

Also, you might want to invest some time (few dollars) on a machine and run Snort on it. But that would be later. Right now, just get Ethereal/Windump and find those culprits.


p.s. reply privately if you need more help

Discuss This Question: 8  Replies

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • 0ct0pus
    If it's totally inaccessible you could bring it offline first then check the log. To confirm your suspect on DOS attack you could monitor the traffic on your network. For the second question, assuming the ICMP echo is not blocked to the DNS, if you can't ping the DNS then the client won't be able to resolve the webpage. Let's go back to the network layer then, is the subnet mask correct? any firewall in between the client and the DNS?
    0 pointsBadges:
  • Demarks
    Like the other said, some of your windows machine must be infected by virus, do windows update on all the machine. Use ethereal to identify how many machine being infected Update the virus pattern file, reboot all those machine in safe mode and do a virus scan.
    0 pointsBadges:
  • Mraslan
    Hi there, I agree with the previous posts about the first question, but want to add the following, try to limit accessing the management software of the firewall to your internal machines or a single machine in your internal LAN, don't allow it on the WAN connection. I didn't work with Sonicwall myself, anyway sometimes firewalls hangs or become jammed, so try to restart it. Moniroring the traffic using Ethereal will be very hard especially if the ammount of data passing is to much, and it will not be that much effective if you run it on a machine behind the the firewall if you have a switched environment because it will not receive any thing, it must be installed on the gateway, the Sonicwall, i don't know if this is possible or not. Another problem with sniffers such as Ethereal will be that you will need to know exactly what you should receive and what you should not receive, and to understand packets to judge whether there is an attack or not. If you know the kind of traffic you want then it will greatly help you. Regarding the second question, try to ping specificly from any machine that is working fine, you should get a reply, record the IP Address and ping that IP from the user that is experincing troubles, If pinging by IP works but with name doesn't work, then this is a name resolution problem, but if pinging by IP also doesn't work, then its either a TCP/IP configuration problem, or may be somekind of firewall is blocking that user, does he have any firewall progams installed? especially McAfee stupid firewall?
    0 pointsBadges:
  • Odyleones
    Hi..i think the main problem is cause by a virus or Dos attack.The firewall is overwhelm already and it cant process.I think you dont have no choice but to power off the firewall or you can disconnect the connection facing your local area network and check the logging.I believe that every firewall there is a logging.Check the ip address that is constantly going outside or inside.If the firewall is connected to a switch.Check the switch if it is capable to do ip accounting in that way you can easily pinpoint what is the ip address that is constantly going outside or inside.Mostly the cause of this kind of problem is a Dos attack but for now is we can just assume. First thing to do is disconnect your inside connection then connect one pc to your firewall and download stinger. The site is after you download i would suggest that you copy this to all of your computer and scan it if this is applicable.After you scan do the patching cause i believe some of your computer is not updated.Always always update your windows software.Nxt thing to do is download the AVG viruscan.It is a freeware viruscan.It is better to have anti virus rather than nothing at all and if you want more security you can download Zonealarm. For your second question...try to ping the ip address is ...hmmm..wait im not sure if you can ping outside cause most of the firewall icmp is not allowed.Try to see if all the ip address was configured correctly by doing ipconfig /all at command prompt. Note: I would suggest that before you connect your pc to the internet you should patch or update first so that you would not get a lot of virus.
    0 pointsBadges:
  • Odyleones
    Additional: If you find the ip address that is causing the problem.The easiest way to do is do a blocking policy to your firewall.Incase that you find that it is your inside ip address do a blocking policy also and trace the computer and disconnect it to your network.Check for virus and apply patches if it is not updated.As for me i think the cause of the problem is in your inside network computer.If you cannot trace it then do the manual thing and this is the hardest thing to do.Disconnect all your computer connection to the switch and put it one at a time you can only do this if you dont have a lot of computers otherwise you download the software that they are suggesting.
    0 pointsBadges:
  • Sdunkin
    For you second question, I have seen the same symptoms when the sonic wall was out of licenses. You can restart the sonic wall to reset the licenses.
    0 pointsBadges:
  • Plewisssww
    We experienced something very similar with a Sonicwall appliance a while ago. Apparently there is a magic number of concurrent connections that will hang a Sonicwall- in our case it was in the 20,400 range. By using a browser to access the Admin screens in the appliance from the lan side we were able to see the number of current connections. We then used Ethereal to determine what IP address(es) these connections were coming from. It turned out that a virus had been introduced behind our firewall by a careless connection to the network of a laptop that had come back from a recent trip overseas. This particular virus spawned multiple threads as ftp connections. After cleaning up the virus on the source machine we had to chase down a few other machines that had been hit by the same exploit as it spread within the network. We then checked each for the most recent Windows updates and patched them. We also sent a sample to our antivirus vendor who returned a modified signature file to put in place on our centralized distribution system. It was a whole bunch of agravation for a few days as we tracked down remnants, but all in all it could have been worse. And we now have a policy that machines that have been on trips are not allowed to be reconnected to the network until IT runs a standalone virus scan on them!
    0 pointsBadges:
  • Ciscocat6k
    Another item that you may want to look at is to segment your FW on another segment/subnet/vlan as this will enable to cut the entire network off from access easily while you can connect on the same subnet and troubleshoot. Additionally this will allow you a bit more security as you can then place ACL's against this routed interface. Once real nasty virus that our organization has just been hit with hammers ports 445 and 11768. This has been identified by two vendors as dipnet variant. Watch the FW logs for any jump or increase in size as this could be indicative of excessive packets being dropped and logged. cheers,
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: