On Wed, Jan 7, 2009 at 03:28, Artūras Šlajus <x11@xxxxxxxxxxx> wrote:> Ok, it seems that really - someone in LAN is attacking the internet.>> If I turn on forwarding for few users like me, some other computer-literate> friends - digg.com still works :))>> Now it's the question how do I catch bad guys? What should I look into?> Packet bursts? Lot's of new connections? Etc?
Given the nature of yahoo and digg's services, the attacks areprobably happening over TCP. Log all outdoing tcp connections, thenenable NAT, wait until yahoo block you, turn it back off, and look atthe logs. I bet it will be fairly obvious which client(s) areresponsible. If not, sort the logs, and count the number ofconnections from each internal client. Smoothwall has these niceper-client traffic graphs which would show be which clients on mynetwork are generating the most traffic.’ōčŗ{.nĒ+?·?®??+%?Ė’±éŻ¶�„?w’ŗ{.nĒ+?·§z×ā?׫ž)ķ?ęčw*�jg¬±Ø�¶????Ż¢j’¾�«žG«?é’¢ø�¢·¦j:+v?Ø?wčjŲm¶?’žų�Æł�®w„ž?ąžf£¢·h??ā?ś’?Ł„
