From owner-freebsd-net@FreeBSD.ORG  Thu Sep  6 21:26:55 2007
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 4E52416A418;
	Thu,  6 Sep 2007 21:26:55 +0000 (UTC)
	(envelope-from gpalmer@freebsd.org)
Received: from noop.in-addr.com (unknown [IPv6:2001:5c0:8fff:fffe::214d])
	by mx1.freebsd.org (Postfix) with ESMTP id 13D6B13C467;
	Thu,  6 Sep 2007 21:26:55 +0000 (UTC)
	(envelope-from gpalmer@freebsd.org)
Received: from gjp by noop.in-addr.com with local (Exim 4.54 (FreeBSD))
	id 1ITOh1-000Gso-9W; Thu, 06 Sep 2007 17:15:15 -0400
Date: Thu, 6 Sep 2007 17:15:15 -0400
From: Gary Palmer <gpalmer@freebsd.org>
To: "Marc G. Fournier" <scrappy@freebsd.org>
Message-ID: <20070906211515.GA8194@in-addr.com>
Mail-Followup-To: "Marc G. Fournier" <scrappy@freebsd.org>,
	freebsd-net@freebsd.org
References: <B619D4EFFD109A19C9A24EFC@ganymede.hub.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <B619D4EFFD109A19C9A24EFC@ganymede.hub.org>
Cc: freebsd-net@freebsd.org
Subject: Re: DDoS attacks ... identifying destination ...
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Sep 2007 21:26:55 -0000

On Thu, Sep 06, 2007 at 03:48:37PM -0300, Marc G. Fournier wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> Today, I got hit by an attack, but haven't been able to easily determine whom 
> was being attacked ...
> 
> I run ipaudit to monitor bandwidth usage, so I have 'source / destination' 
> information, but I'm not finding any particularly easy way to narrow down whom 
> was being attacked ...
> 
> I run mrtg on the switch so that I know which *server* is being attacked, so I 
> need some method of being able to see whom is being attacked so that I can put 
> appropriate blocks in place ...
> 
> Is there either a command line command, or ports tool, that I can use similar 
> to top, or systat -iostat, that will help identify the IP that is being 
> attacked?
> 
> Thank you ...

net/trafshow will show throughput on various protocols on a host in a more
user friendly format than raw tcpdump alone.