Methodolgy to ID source of DOS attack

After the lack of response to this, I am questioning whether people think I'm just dumb and shouldn't be asking something so obvious, or if this is something most people don't see or bother to look into.

 

 

I'm fairly certain that the source of these packets was internal, related to application testing, and that spoofing is unlikely. I didn't think to run netstat -a at the time, though that is an excellent suggestion. It is interesting to think about whether these connections will show up or not.

 

 

At the time I was doing a tcpdump looking for RST packets, but upon reflection that was a stupid idea since the LTM is dropping the SYN packets instead of sending RSTs, so I wouldn't have captured the RSTs. What I should have done (duh)is filter on SYN packets - maybe capture say, 1000 packets. If the LTM is dropping 16000 per second, I would expect most of those 1000 captured packets to be from the suspect device.

 

 

I suspect tcpdump is probably the right command to be using. I just assumed there'd be some bigpipe command that could easily ID the source, but I must be wrong about that.