How can we quickly find out the culprit when the network is under attack?

During years of IDC room maintenance, the server is occasionally visited by various people. There are two access methods:

1. DDoS attacks

2. implant subsequent programs using System Vulnerabilities

In the first case, the entrance is blocked directly. However, the damage to the server itself is relatively small. But the second type is very serious. If he intrude into the web server, he can directly access the background database. Be cautious.

If you are under attack and your entire protection device does not have intrusion detection or traffic analysis devices. How can we find the perpetrators? You can also use open-source tools.

The method is as follows:

Enable span (Port image) on the core switch port connected to the network port of the firewall, and use Wireshark on the target port for data analysis. Many people only know that Wireshark can capture packets and see the content in the packets. In fact, it also has a very important function is to collect statistics on traffic in the form of sessions. And rank.

The span configuration on the vswitch is described here. You can search for online materials. The following describes how to view Wireshark:

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/4D/2C/wKiom1RNqDOSeR3CAAXZm5YbU3A641.jpg "Title =" 1.png" alt = "wkiom1rnqdoser3caaxzm5ybu3a641.jpg"/>

Of course, you must first start the packet capture function. After "conversation" is opened, you can see the following: Click IPv4, and the top button is used for sorting. We can see who is visiting you. Both source and destination have them.

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M01/4D/2C/wKiom1RNqG2xDvR0AAXGTGpxc1o244.jpg "Title =" Capture. PNG "alt =" wkiom1rnqg2xdvr0aaxgtgpxc1o244.jpg "/>

If the source data volume is too large, it can be determined that it is the culprit. You can use many methods for filtering.

How can we quickly find out the culprit when the network is under attack?