We have been hit by a number of DoS attacks over the last few weeks (to the point where we can't access our systems anymore and we are on a 100mbps Orcon datacenter line). After providing our summary logs to our firewall vendor the fact we get no increases in the number of states and the short nature of the attacks suggested to them it was not a DDoS but rather a one or 2 host DoS.
Anyway it started happening again tonight (like 4 times already) so I decided screw it, I'
ll log every packet and find out what's going on. The target IP is always the same so was quite easy to track. Anyway it looks like we are being hit from 126.96.36.199 which is from Telecom NZ. The DoSer is opening up heaps of connections to the IMAP port on that server (which runs Smartermail). I have more details than this too.
Question, do I contact Telecom NOC, get my ISP to contact Telecom NOC or open a case with the police? We are pretty desperate as our entire rack with Orcon is getting taken offline and Orcon don't want to help (still waiting 2+ weeks to hear from their technical department).
Bandwidth spikes massively:
Packet loss goes through the roof:
50 matched log entries. Max(50)ActTimeIfSourceDestinationProto