Home page logo
/

basics logo Security Basics mailing list archives

Re: DDOS attacks
From: Ron <iago () valhallalegends com>
Date: Thu, 16 Dec 2004 15:48:45 -0600

I don't have any information sources, but maybe I can make it a little more clear. The IPs are likely zombie machines that have already been compromised, and that have the rootkit/trojan software running on them. It's very unlikely that they are targetting you at random, since when you use a DDoS net it tends to get noticed, and you tend to lose bots as a result. So they only target sites that they have some problem with.

The reason I get DDoSed frequently is because my site provides a service to Battle.net users that prevents many from logging onto Battle.net while our site is down, and it makes the person feel powerful to do that, and he goes around bragging about how awesome he is. Although I think the service we run is stupid anyway, that's another story.

The other reason I've seen people DDoS is blackmail or extortion -- "YOU do this for ME, or I'm going to hold down your servers". But if you haven't received any demands, then likely they are doing it to prove a point. Or maybe they got your address mixed up with somebody else's.

There's few things you can do to mitigate it:
- Try changing the DNS that they're targetting. If you can point "www.yoursite.com" to, say, "www.fbi.gov" while the attack is going on, then it becomes somebody else's problem. Of course, the DDoSer's that I'm familiar with are smarter than that, and go by ip. - If they're targetting a particular service, turn it off. An effective SYN flood can only take place if there are open ports. Of course, if this is a web server, that's not really an option. - Turn off/unplug the server/ip that they're targetting. That'll save the rest of your network from being taken down. The server I use has 2 ips, a public and a private (secure and obscure). When somebody DDoSes, we turn off the public one until they're done. Of course, it wouldn't be hard to find the private, but it also wouldn't be hard to change it. - Get a Firewall or IPS that can detect floods and stop them from entering your network. These tend to be expensive, and, if they're exhausting your bandwidth anyway, not terribly effective. - Talk to your ISP, and get them to filter out the source IPs at their end. If you're dealing with a net of hundreds or thousands, that may be difficult. It doesn't help that most ISPs are pretty much impossible to contact. If you have this problem frequently, of course, you may end up with an internal contact there that you can phone directly whenever this happens.

I hope some of this helps.
-Ron

Brian T wrote:

Hello List,

Over recent days I have been experiencing intermitent DDOS attacks that have been crushing my firewall. The source IP addresses and timing have remained relatively consistent since the problem was discovered. I would like to perform some research on these IPs to better understand this attack. Specially, I would like to know if this attack is directed at me or a bot-net picking my network at random. Are there any sources of information that could help me make this determination?

I appreciate any help,

Brian

_________________________________________________________________
Is your PC infected? Get a FREE online computer virus scan from McAfee® Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963





  By Date           By Thread  

Current thread:
  • DDOS attacks Brian T (Dec 16)
    • Re: DDOS attacks Ron (Dec 17)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault