Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - CATEGORY OFFENSE INVESTIGATION GUIDE REV 1 Manual page 37

DoS attack. From the right-click menu, select Information > WHOIS Lookup or
DNS Lookup. For more information on using the right-click menu, see the
STRM Users Guide.
Once you have determined ownership, contact your network administrator to
determine if the source IP address(es) of the DoS attack may be blocked using
your firewall or intrusion prevention device.
Determine if the IP address of the attacker is being spoofed (using an IP address
Step 9
that is invalid), trace the path of the traffic back to the switch port in the original
form. To determine if the IP address is being spoofed, contact your network
administrator. If you determine that the IP address is being spoofed, use one of the
following methods to determine the originator of the traffic:
STRM Collector View. For more information on views, see the STRM
•
Administration Guide.
• Switch and router port statistics.
Egress filtering, which is useful for stopping outbound spoofed traffic.
•
Determine if the attacker is a desktop computer, which may be running a network
Step 10
application or infected with malware. For assistance, contact your network
administrator. If the desktop is running a network application, you can tune STRM
to no longer generate offenses for this behavior. See
Offense?
Once you have determined the impact of the offense, you must perform the
Step 11
necessary steps to rectify the source of the activity. If you have determined this
behavior is normal, you can tune STRM to no longer detect this activity. For more
information, see
Once you are satisfied that you have resolved the offense, you can close or hide
Step 12
the offense.
For more information on closing or hiding an offense, see the STRM Users Guide.
Category Offense Investigation Guide
How do I Tune a DoS
How do I Investigate a DoS Offense?
How do I Tune a DoS
Offense?.
31