DOCSLIB.ORG

Troubleshooting TCP/IP

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

4620-1 ch05.f.qc 10/28/99 12:00 PM Page 157 Chapter 5 Troubleshooting TCP/IP In This Chapter ᮣ Troubleshooting TCP/IP in Windows 2000 Server ᮣ TCP/IP troubleshooting steps ᮣ Defining which is the best TCP/IP troubleshooting tool to solve your problem ᮣ Mastering basic TCP/IP utilities roubleshooting is, it seems, an exercise in matrix mathematics. That is, Twe use a variety of approaches and influences to successfully solve our problems, almost in a mental columns-and-rows format. These approaches may include structured methodologies, inductive and deductive reasoning, common sense, experience, and luck. And this is what troubleshooting is made of. Troubleshooting TCP/IP problems is really no different from troubleshooting other Windows 2000 Server problems mentioned in this book, such as instal- lation failures described in Chapter 2. Needless to say, Windows 2000 Server offers several TCP/IP-related tools and utilities to assist us, but more on the specifics in a moment. TCP/IP Troubleshooting Basics The goal in TCP/IP troubleshooting is very simple: fix the problem. Too often, it is easy to become overly concerned about why something happened instead of just fixing the problem. And by fixing the problem, I mean cost effectively. 1. Be cost effective. Don’t forget that several hours’ worth of MCSE-level consulting could more than pay for the additional bandwidth that may easily solve your TCP/IP WAN-related problem. Don’t overlook such an easy fix when struggling to make a WAN connection between sites utilizing Windows 2000 Server. Too little bandwidth is typically the result of being penny wise and pound foolish. Oh, and it also causes nasty timeout conditions that can wreak havoc on your TCP/IP-based network. And if you want to make a complex database unhappy, just give it too little bandwidth on a TCP/IP-based WAN. 4620-1 ch05.f.qc 10/28/99 12:00 PM Page 158 158 Part II: TCP/IP I I 2. Experience is the best teacher. One of the more challenging corporate training assignments I frequently face is when I’m asked to deliver a custom TCP/IP and Windows 2000 Server troubleshooting session. The challenge is this: I’m not sure I can teach troubleshooting. It’s really just something you do and you’re ultimately skilled at it or not. TCP/IP troubleshooting ability is heavily based on experience. The good news is that the more time on the computer you put in (“stick time”), the better you will do. 3. Use inductive reasoning. Microsoft officially recommends pursuing a TCP/IP troubleshooting strategy of working from the bottom up, such as starting at the Physical Layer of the Open Standards Interconnections (OSI) model and proceeding to look at more broader influences such as the applications you are running. This enables you to isolate a problem. Such an approach is also known as induction or inductive reasoning, which Webster’s New World Dictionary defines as “a bringing forward of separate facts or instances, esp. so as to prove a general statement.” This mindset is largely the basis for this chapter, as individual tools and utilities that in reality would be used independently to solve a larger TCP/IP-related problem will be discussed. That is, you would start with a specific tool to solve a discrete problem and, as troubleshooting both goes and grows, resolve more global TCP/IP issues. In contrast, deductive reasoning is really better suited for the Windows 2000 Server developers in feature-set brainstorming sessions where the whole idea is to come up with great new features and then work down to the implementation specifics. Webster’s defines deduction as “Logic — the act or process of deducing; reasoning from a known principle to an unknown, from a general to the specific.” 4. Use the in-house help. Many wonderful tools are included in Windows 2000 Server for use in your TCP/IP troubleshooting efforts. These include native commands and utilities such as IPConfig and ping that will be reviewed in this chapter. And given that Windows 2000 Server is often bundled with the full version of BackOffice, don’t forget the full-featured version of Network Monitor included in Microsoft Systems Management Server (SMS). You will recall that tools such as Network Monitor were discussed at length in Part VI of this book, “Optimizing and Troubleshooting Windows 2000 Server.” 5. Don’t forget third-party tools. Not surprisingly, a wide range of third-party TCP/IP troubleshooting tools is available to assist you. One favorite, which will be discussed in Chapter 9, is PingPlotter, a low-cost shareware application from Richard Ness at Nessoft (www.nesssoft.com). PingPlotter is included on the CD-ROM that accompanies this book. This application tests ping connectivity and measures ping performance across WAN hops. 6. Always reboot. Last, but certainly not least, you must always reboot when modifying anything related to the TCP/IP protocol stack in Windows 2000 Server. Even though the “stack” has improved dramatically, I still don’t trust it completely. In my eyes, there is nothing like a complete reboot where you shut the computer down for 15 seconds after you’ve modified 4620-1 ch05.f.qc 10/28/99 12:00 PM Page 159 Chapter 5: Troubleshooting TCP/IP 159 I I any TCP/IP protocol settings. And it’s an easy lesson to overlook! Here’s why. Let’s assume you switch your IP address from a dynamic DHCP- assigned address to a static IP address. So far, so good. But if at this moment, you run the IPConfig command that reports basic TCP/IP configuration information (discussed later in this chapter), you will note that the TCP/IP configuration information reports the new, updated IP address as if it were properly bound to the network adapter. Don’t you believe it for a minute! Always reboot. In fact, if you want my $59.95’s worth, I’d highly recommend you follow Step Zero — that is to completely cold-reboot your Windows 2000 Server prior to concluding you have any problems with TCP/IP. Don’t ask me why, but I’ve seen many Windows 2000 Server TCP/IP-related gremlins disappear this way. And that’s something you won’t read about in the official MCSE study guides. Trust me. First Step: Ask the Basic Questions So where do you go from here? Remember that troubleshooting any problem is a function of asking enough questions. Here is a short list of questions you can start your TCP/IP troubleshooting journey with. It is by no means inclusive. I What’s working? I What’s not working? I What is the relationship between the things that work and the things that don’t? I Did the things that don’t work now ever work on this computer or network? I If the answer is yes, what has changed since they last worked? You can ask more specific questions in your quest to resolve your TCP/IP problems. These questions are presented and answered at the end of the chapter. Second Step: Define the Tools Having completed this first step, you’re ready to begin troubleshooting TCP/IP in Windows 2000 Server. Table 5-1 provides a list of TCP/IP diagnostic utilities and troubleshooting tools, many of which will be discussed further in this chapter. 4620-1 ch05.f.qc 10/28/99 12:00 PM Page 160 160 Part II: TCP/IP I I Table 5-1 Windows 2000 Server TCP/IP Troubleshooting Tools and Utilities Utility/Tool Description ARP Address Resolution Protocol. Enables you to view local computer ARP table entries to detect invalid entries. Hostname Typing this at the command line returns the current host name of the local computer. IPConfig Current TCP/IP information is displayed. Command line switches enable you to release and/or renew your IP address. Nbtstat Connections using NetBIOS over TCP/IP and protocol statistics are displayed. The LMHOSTS cache is updated (purged and reloaded). Netstat Active TCP/IP connections are displayed in addition to TCP/IP statistics. Nslookup Internet domain name servers are queried and recorded; domain host aliases, domain host services, and operating system information is returned. Ping Packet Internet Gopher. Tests connections and verifies configurations. Route Displays, prints, or modifies a local routing table. Tracert Checks the route from the local to a remote system. FTP File Transfer Protocol. This tool is used for two-way file transfers between hosts. TFTP Trivial File Transfer Protocol. Provides another form of two- way file transfer between hosts. Typically used when one host demands TFTP. I’ve used this in conjunction with router configuration and troubleshooting scenarios. Telnet Basic terminal emulation program that establishes a session with another TCP/IP host running a Telnet host. RCP Remote Copy Protocol. Enables you to copy files between TCP/IP-based hosts. RSH Remote Shell. Enables you to be authenticated by and run UNIX commands on a remote UNIX host. Rexec Enables you to be authenticated by and run processes on a remote computer. Finger System information is retrieved from a remote computer running TCP/IP and supporting the Finger command. Microsoft Internet Explorer Browser used for locating information and retrieving resources from the Internet. 4620-1 ch05.f.qc 10/28/99 12:00 PM Page 161 Chapter 5: Troubleshooting TCP/IP 161 I I Two important TCP/IP-related “tools” that are missing in Windows 2000 Server are native NFS client support and the whois command. For NFS client support, as discussed in Part VI of this book, “Optimizing and Troubleshooting Windows 2000 Server,” check with NetManage or WRQ, two independent software vendors that provide NFS client solutions for Windows 2000 Server.
Recommended publications
  • On IP Networking Over Tactical Links

    On IP Networking Over Tactical Links

    On IP Networking over Tactical Links Claude Bilodeau The work described in this document was sponsored by the Department of National Defence under Work Unit 5co. Defence R&D Canada √ Ottawa TECHNICAL REPORT DRDC Ottawa TR 2003-099 Communications Research Centre CRC-RP-2003-008 August 2003 On IP networking over tactical links Claude Bilodeau Communications Research Centre The work described in this document was sponsored by the Department of National Defence under Work Unit 5co. Defence R&D Canada - Ottawa Technical Report DRDC Ottawa TR 2003-099 Communications Research Centre CRC RP-2003-008 August 2003 © Her Majesty the Queen as represented by the Minister of National Defence, 2003 © Sa majesté la reine, représentée par le ministre de la Défense nationale, 2003 Abstract This report presents a cross section or potpourri of the numerous issues that surround the tech- nical development of military IP networking over disadvantaged network links. In the first sec- tion, multi-media services are discussed with regard to three aspects: applications, operational characteristics and service models. The second section focuses on subnetworks and bearers; mainly impairments caused by characteristics of the wireless environment. An overview of the Iris tactical bearers is provided as an example of a tactical IP environment. The last section looks at how IP can integrate these two elements i.e. multi-media services and impaired sub- network links. These three sections are unified by a common theme, quality of service, which runs in the background of the discussions. Résumé Ce rapport présente une coupe transversale ou pot-pourri de questions reliées au développe- ment technique des réseaux militaires IP pour des liaisons défavorisées.
  • IBM Cognos Analytics - Reporting Version 11.1

    IBM Cognos Analytics - Reporting Version 11.1

    IBM Cognos Analytics - Reporting Version 11.1 User Guide IBM © Product Information This document applies to IBM Cognos Analytics version 11.1.0 and may also apply to subsequent releases. Copyright Licensed Materials - Property of IBM © Copyright IBM Corp. 2005, 2021. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. IBM, the IBM logo and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at " Copyright and trademark information " at www.ibm.com/legal/copytrade.shtml. The following terms are trademarks or registered trademarks of other companies: • Adobe, the Adobe logo, PostScript, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries. • Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. • Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. • Linux is a registered trademark of Linus Torvalds in the United States, other countries, or both. • UNIX is a registered trademark of The Open Group in the United States and other countries. • Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.
  • A Dll Required for This Install Could Not Be Run

    A Dll Required for This Install Could Not Be Run

    A Dll Required For This Install Could Not Be Run Foldable Hannibal saunter anticipatorily and respectably, she reseat her wentletrap overlaid retractively. Which Arne igniting butso cheap berrying that her Dickie instruments triturated flying. her tanists? Analyzed Giovanne still encyst: salt and Circassian Whitby outface quite fervently This product was an option, microsoft distributed dll required dll for could not a install the problem for fixing the table doe Will not a install could be run this dll required for what is solved by multiple rows into boot. How to resolve my case, code and performance cookies and this dll for install a could not be run in. Any solution is required actions, hardware failure and be. If he're running Windows installation as the repair source or sale you're using Windows from a. Thank you for safe prompt response. A DLL required for this installation to complete could not be run. Does this solution from your pc scan with windows installer on target system is this tool in any proposed solutions to use windows updates about how did run a this dll required for could not install be. Reddit on the respective owners in this dll for a required. Set properties are you hate cookies may not a install be run this dll required for instant savings! Could not initialized handler. Your pc and framework, dll could not be able to customize it? Qgis also for this issue, dll required for could not a install it is a time i run. Fix problems installing Chrome Google Chrome Help.
  • IT Acronyms.Docx

    IT Acronyms.Docx

    List of computing and IT abbreviations /.—Slashdot 1GL—First-Generation Programming Language 1NF—First Normal Form 10B2—10BASE-2 10B5—10BASE-5 10B-F—10BASE-F 10B-FB—10BASE-FB 10B-FL—10BASE-FL 10B-FP—10BASE-FP 10B-T—10BASE-T 100B-FX—100BASE-FX 100B-T—100BASE-T 100B-TX—100BASE-TX 100BVG—100BASE-VG 286—Intel 80286 processor 2B1Q—2 Binary 1 Quaternary 2GL—Second-Generation Programming Language 2NF—Second Normal Form 3GL—Third-Generation Programming Language 3NF—Third Normal Form 386—Intel 80386 processor 1 486—Intel 80486 processor 4B5BLF—4 Byte 5 Byte Local Fiber 4GL—Fourth-Generation Programming Language 4NF—Fourth Normal Form 5GL—Fifth-Generation Programming Language 5NF—Fifth Normal Form 6NF—Sixth Normal Form 8B10BLF—8 Byte 10 Byte Local Fiber A AAT—Average Access Time AA—Anti-Aliasing AAA—Authentication Authorization, Accounting AABB—Axis Aligned Bounding Box AAC—Advanced Audio Coding AAL—ATM Adaptation Layer AALC—ATM Adaptation Layer Connection AARP—AppleTalk Address Resolution Protocol ABCL—Actor-Based Concurrent Language ABI—Application Binary Interface ABM—Asynchronous Balanced Mode ABR—Area Border Router ABR—Auto Baud-Rate detection ABR—Available Bitrate 2 ABR—Average Bitrate AC—Acoustic Coupler AC—Alternating Current ACD—Automatic Call Distributor ACE—Advanced Computing Environment ACF NCP—Advanced Communications Function—Network Control Program ACID—Atomicity Consistency Isolation Durability ACK—ACKnowledgement ACK—Amsterdam Compiler Kit ACL—Access Control List ACL—Active Current
  • Reference Information

    Reference Information

    APPENDIX B Software Field Description Tables The window field description tables for the following are included in this section: • “Flow Record Match and Collect Field Descriptions” • “Configure Filter Window Fields” • “Configure Records Window Fields” • “Configure Collector Window Fields” • “Configure Exporter Window Fields” • “Configure Monitor Window Fields” • “Application ID Collect Field Information” Table B-1 lists the match and collect field descriptions for IPv4, IPv6, and Layer 2 flow records in the user interface, as well as the CLI. Table B-1 Flow Record Match and Collect Field Descriptions Match Fields (keys of the flow GUI and CLI record) IPv4 IPv6 Layer 2 CoS X X X Ethertype X X X Input SNMP Interface X X X IP Protocol X X IPv4 Destination Address X IPv4 Source Address X IPv4 TOS X IPv4 TTL X IPv6 Destination Address X IPv6 Hop Limit X IPv6 Source Address X IPv6 Traffic Class X Layer 4 Destination Port X X Layer 4 Source Port X X MAC Destination Address X X X Cisco NetFlow Generation Appliance User Guide B-1 Appendix B Software Field Description Tables Table B-1 Flow Record Match and Collect Field Descriptions (continued) Match Fields (keys of the flow GUI and CLI record) IPv4 IPv6 Layer 2 MAC Source Address X X X MPLS Label X X X Output SNMP Interface X X X VLAN ID X X X Collect Fields Application ID1 XXX Byte Count X X X First Timestamp X X X Flow Label X IPv4 ICMP Code X IPv4 ICMP Type X IPv6 ICMP Code X IPv6 ICMP Type X Last Timestamp X X X Network Encapsulation X X X Packet Count X X X TCP Header Flags X X X 1.
  • System Analysis and Tuning Guide System Analysis and Tuning Guide SUSE Linux Enterprise Server 15 SP1

    System Analysis and Tuning Guide System Analysis and Tuning Guide SUSE Linux Enterprise Server 15 SP1

    SUSE Linux Enterprise Server 15 SP1 System Analysis and Tuning Guide System Analysis and Tuning Guide SUSE Linux Enterprise Server 15 SP1 An administrator's guide for problem detection, resolution and optimization. Find how to inspect and optimize your system by means of monitoring tools and how to eciently manage resources. Also contains an overview of common problems and solutions and of additional help and documentation resources. Publication Date: September 24, 2021 SUSE LLC 1800 South Novell Place Provo, UT 84606 USA https://documentation.suse.com Copyright © 2006– 2021 SUSE LLC and contributors. All rights reserved. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or (at your option) version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled “GNU Free Documentation License”. For SUSE trademarks, see https://www.suse.com/company/legal/ . All other third-party trademarks are the property of their respective owners. Trademark symbols (®, ™ etc.) denote trademarks of SUSE and its aliates. Asterisks (*) denote third-party trademarks. All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. Neither SUSE LLC, its aliates, the authors nor the translators shall be held liable for possible errors or the consequences thereof. Contents About This Guide xii 1 Available Documentation xiii
  • Diskgenius User Guide (PDF)

    Diskgenius User Guide (PDF)

    www.diskgenius.com DiskGenius® User Guide The information in this document is subject to change without notice. This document is not warranted to be error free. Copyright © 2010-2021 Eassos Ltd. All Rights Reserved 1 / 236 www.diskgenius.com CONTENTS Introduction ................................................................................................................................. 6 Partition Management ............................................................................................................. 6 Create New Partition ........................................................................................................ 6 Active Partition (Mark Partition as Active) .............................................................. 10 Delete Partition ................................................................................................................ 12 Format Partition ............................................................................................................... 14 Hide Partition .................................................................................................................... 15 Modify Partition Parameters ........................................................................................ 17 Resize Partition ................................................................................................................. 20 Split Partition ..................................................................................................................... 23 Extend
  • Facing the Challenge(S) of Windows Logs Collection to Leverage Valuable Iocs

    Facing the Challenge(S) of Windows Logs Collection to Leverage Valuable Iocs

    Facing the challenge(s) of Windows logs collection to leverage valuable IOCs . Michel de Crevoisier Security Analyst, Radar Cyber Security 15.10.2019, Berne © RadarServices // Classification: Public The five challenges © RadarServices // Classification: Public #1 High diversity of log sources Server Microsoft 3rd party Built-in roles software software Advanced Threat ADFS Application Analytics (ATA) Ivanti software Certification authority Exchange PowerShell Kaspersky DHCP server Skype Security DNS server SQL Server Veeam Backup System IIS web server SYSMON […] […] NPS Radius Defender © RadarServices // Classification: Public 3 #2 Different log extensions EVTX ETL TXT (standard Windows logs (analytical logs, like DNS (IIS, NPS, DHCP, in XML format) Server or PowerShell) PowerShell Transcript, former DNS logs) © RadarServices // Classification: Public 4 #3 Multiple architectural approaches Access method / Protocol (MS-EVEN6, RPC, WMI,…) Push vs Pull Agent vs Agentless Intermediate collector VS Direct sending to receiver Central file store vs Shared folder Managed agent VS Unmanaged agent © RadarServices // Classification: Public 5 #4 Disabled and restrictive event logs • Protected users (if configured, on DCs only) Valuable event • LSA (Local Security Authority) logs disabled • IIS web server • DNS client Event logs with • SMB server restrictive • SMB client access • IIS web server © RadarServices // Classification: Public 6 6 #5 Operational constraints Security Data exchange Performance Configuration Environment • Avoid usage of • Data
  • Electric Vehicle Fact Sheet Opens in a New Window

    Electric Vehicle Fact Sheet Opens in a New Window

    ⇝ Get CHARGED UP in ROSENDALE! ⇜ SOME QUESTIONS AND ANSWERS ABOUT ELECTRIC VEHICLES (EVs): Do electric vehicles (EVs) cost more than gas-powered cars? All major car manufacturers are now producing either fully electric vehicles or plug-in hybrids, and there is a wide selection of styles and prices to choose from. If you buy now, you can benefit from generous state rebates and federal tax credits. These may reduce the base price of an EV to between $22,000 and $29,000.6,7,8 How do I charge an EV? There is no need for a special charging station at home; just plug into any regular electrical outlet. Rosendale has a public charging station, right in the municipal lot behind the Rosendale Theatre! EV owners can charge up while enjoying Main Street, catching a movie, or hiking up Joppenbergh! Many other towns and highway rest stops around the country now have public charging stations. Popular websites and FREE phone apps, such as Plugshare, allow you to 5,12 easily find the closest public charging station while traveling. Rosendale’s charging station. How far can I drive on electric power? Plug-in hybrids have both electrical ports and gas tanks. They can run 20-80 miles on pure electric power depending on the model, after which they convert to gas and run as a fuel-efficient car. Newer all-electric cars offer faster charging capacity and a higher range, like the Chevy Bolt (238 mi. range) and Nissan Leaf (107 mi. range). How is an electric vehicle better for the environment? Another benefit of EVs: Since it uses less energy, an EV has a lower carbon footprint, No more oil changes! equivalent to that of a 68 MPG gasoline-burning car (if one existed!).
  • 09-Mobile Networking

    09-Mobile Networking

    Mobile Networking Programming for Engineers Winter 2015 Andreas Zeller, Saarland University Today’s Topics • Mobile Networking • HTTP • HTML • Webserver! The aim of a computer network is Murray Leinster to have computers communicate “A Logic Named Joe” (1946) with each other The computer ... manages the spreading of ninety-four percent of all TV programs, conveys all information about weather, air trafc, special deals… and records every business conversation, every contract… Computers have changed the world. Computers are the civilisation. If we turn them of, we will fall back to a kind of civilisation, of which we have forgotten how it even works. Murray Leinster, 1896–1975 Partial map of the Internet based on the January 15, 2005 data The Internet found on opte.org. Each line is drawn between two nodes, representing two IP addresses. The length of the lines are indicative of the delay between those two nodes. This graph represents less than 30% of the Class C networks reachable by the data collection program in early 2005. Wireless Internet • WLAN = Wireless Local Area Network • Allows “local” computers to communicate The Arduino ESP8266 shield allows the Arduino to connect to Wireless Modem networks, and also to set up its own network The modem is controlled by so- Controlling a Modem called AT commands Modems receive • data to be sent • commands to control them View from above – connectors are Programming for Engineers WS15/16 Prof. Dr. Andreas Zeller saarland Software Engineering Chair Resp. Tutor: Curd Becker university at the bottom ConnectingSaarland University theAssignment Modem Sheet 6 computer science The connectors for the ESP8266 wireless module are shown in more detail here.
  • 1) Data Storage Types 2) Variable Naming 3) Labels and Notes Written

    1) Data Storage Types 2) Variable Naming 3) Labels and Notes Written

    Stata Community Resource Contents: 1) Data storage types 2) Variable naming 3) Labels and Notes Written on 1/27/2019 (examples shown running version 15). Data storage types: Numeric Unlike some other statistical packages (e.g., SPSS or SAS) Stata stores data as different “types.” Each data storage type has a different level of accuracy and therefore different memory storage requirements. For example, if we have a dataset loaded already, and want to examine our storage types: . describe Here we can see that the storage type is listed as “byte.” Byte indicates that the variable is stored as an integer between -127 and 100. The default data storage type for Stata is “float.” By inquiring with Stata using the help command, we see that the float variable type is much larger relative to byte: . help datatypes Also note that byte, int, and long storage types can only hold integers, whereas float and double are floating point data storage types. 1 Another difference between the various numerical data storage types is in their levels of precision. For example, float variable type data will be stored with a 7-digit level of accuracy. This means that Stata will not round a number stored as a float type, as long as the number is 7 total digits or fewer. If precision is needed past the 7- digit limit, however, the “double” storage type should be used. One potential complication of storing a >7 digit variable as a “float” or smaller is that Stata may round down the integer without advertising that it is doing so.
  • Dos Amplification Attacks – Protocol-Agnostic Detection Of

    Dos Amplification Attacks – Protocol-Agnostic Detection Of

    DoS Amplification Attacks – Protocol-Agnostic Detection of Service Abuse in Amplifier Networks B Timm B¨ottger1( ), Lothar Braun1 , Oliver Gasser1, Felix von Eye2, Helmut Reiser2, and Georg Carle1 1 Technische Universit¨at M¨unchen, Munich, Germany {boettget,braun,gasser,carle}@net.in.tum.de 2 Leibniz Supercomputing Centre, Munich, Germany {voneye,reiser}@lrz.de Abstract. For many years Distributed Denial-of-Service attacks have been known to be a threat to Internet services. Recently a configura- tionflawinNTPdaemonsledtoattackswithtrafficratesofseveral hundred Gbit/s. For those attacks a third party, the amplifier, is used to significantly increase the volume of traffic reflected to the victim. Recent research revealed more UDP-based protocols that are vulnerable to amplification attacks. Detecting such attacks from an abused ampli- fier network’s point of view has only rarely been investigated. In this work we identify novel properties which characterize ampli- fication attacks and allow to identify the illegitimate use of arbitrary services. Their suitability for amplification attack detection is evaluated in large high-speed research networks. We prove that our approach is fully capa- ble of detecting attacks that were already seen in the wild as well as capable of detecting attacks we conducted ourselves exploiting newly discovered vulnerabilities. 1 Introduction Denial-of-Service attacks aim at making services unavailable to their intended users. Attackers can use different methods to consume bandwidth or deplete other resources of the victim. One method to exhaust bandwidth is called Dis- tributed Reflection Denial-of-Service (DRDoS) attack: an attacker sends forged requests to several servers with the victim’s spoofed source address.