User's Manual

ManualsBrandsSHANGHAI UTT TECHNOLOGIES ManualsElectronicsRouter

421

422

423

424

425

426

427

428

429

430

UTT Technologies Appendix B FAQ

http://www.uttglobal.com Page 413

applications on that suspicious host, and then run an effective antivirus software,

lastly restart or reinstall the operating system.

B. How to find out who is attacking an Internet host with DoS/DDoS

DoS

attack (denial-of-service attack) or

DDoS

attack (distributed denial-of-service

attack) is an attempt to make a host resource unavailable to its intended users. When

performing a

DoS/DDoS

attack, a host sends a larger number of packets to the target

host (typically it is a web server) in a very short time to cause too heavy load on the host,

thus the host is unable to provide normal services. The host performing

DoS/DDoS

attacks can generate a large amount of traffic, and too much traffic (i.e., too heavy network

load) will cause network congestion, thus the other users may be unable to surf the

Internet normally.

On the Device, you can find out who is performing a DoS/DDoS attack through the

following three ways.

1) You can view the NAT Statistics list in the Status > NAT Stats page to find out if

there is a LAN host whose Tx Packets is far larger than the other hostV¶, but its Rx

Packets is very small or zero. When a LAN host attacks an Internet host with

DoS/DDoS, it sends a large number of packets to the Internet host; so if a LAN host

meets the above conditions, it is suspicious of performing a DoS/DDoS attack.

Note that the user who is uploading files via HTTP/FTP should be excluded.

2) You can view the NAT Statistics list in the Status > NAT Stats page to find out if

there is a LAN host whose Tx Packets is far larger than Rx Packets. A DoS/DDoS

attack program often uses a forged source IP address to send out packets, this will

cause that the response packets cannot arrive at the sender; so if a host¶s Tx

Packets is far larger than Rx Packets, the host is suspicious of performing a

DoS/DDoS attack.

3) You can view system logs in the Status > System Log page to find out if there is a

NAT exceeded log message. For example, the log message of ³NAT exceeded

192.168.16.221´ means that the host with IP address 192.168.16.221 has exceeded

the maximum concurrent NAT sessions limited by the Device (configured in the

Security > NAT Session Limit page), and this host is suspicious of performing a

DoS/DDoS attack.

Note

Recommended solution: It is recommended that you stop all the running

applications on that suspicious host, and then run an effective antivirus software,

lastly restart or reinstall the operating system.

C. How to find out a host infected with Code Red worm virus?