mailing list archives
Re: DDOS attacks
From: Ron <iago () valhallalegends com>
Date: Thu, 16 Dec 2004 15:48:45 -0600
I don't have any information sources, but maybe I can make it a little
more clear. The IPs are likely zombie machines that have already been
compromised, and that have the rootkit/trojan software running on them.
It's very unlikely that they are targetting you at random, since when
you use a DDoS net it tends to get noticed, and you tend to lose bots as
a result. So they only target sites that they have some problem with.
The reason I get DDoSed frequently is because my site provides a service
to Battle.net users that prevents many from logging onto Battle.net
while our site is down, and it makes the person feel powerful to do
that, and he goes around bragging about how awesome he is. Although I
think the service we run is stupid anyway, that's another story.
The other reason I've seen people DDoS is blackmail or extortion -- "YOU
do this for ME, or I'm going to hold down your servers". But if you
haven't received any demands, then likely they are doing it to prove a
point. Or maybe they got your address mixed up with somebody else's.
There's few things you can do to mitigate it:
- Try changing the DNS that they're targetting. If you can point
"www.yoursite.com" to, say, "www.fbi.gov" while the attack is going on,
then it becomes somebody else's problem. Of course, the DDoSer's that
I'm familiar with are smarter than that, and go by ip.
- If they're targetting a particular service, turn it off. An effective
SYN flood can only take place if there are open ports. Of course, if
this is a web server, that's not really an option.
- Turn off/unplug the server/ip that they're targetting. That'll save
the rest of your network from being taken down. The server I use has 2
ips, a public and a private (secure and obscure). When somebody DDoSes,
we turn off the public one until they're done. Of course, it wouldn't
be hard to find the private, but it also wouldn't be hard to change it.
- Get a Firewall or IPS that can detect floods and stop them from
entering your network. These tend to be expensive, and, if they're
exhausting your bandwidth anyway, not terribly effective.
- Talk to your ISP, and get them to filter out the source IPs at their
end. If you're dealing with a net of hundreds or thousands, that may be
difficult. It doesn't help that most ISPs are pretty much impossible to
contact. If you have this problem frequently, of course, you may end up
with an internal contact there that you can phone directly whenever this
I hope some of this helps.
Brian T wrote:
Over recent days I have been experiencing intermitent DDOS attacks
that have been crushing my firewall. The source IP addresses and
timing have remained relatively consistent since the problem was
discovered. I would like to perform some research on these IPs to
better understand this attack. Specially, I would like to know if
this attack is directed at me or a bot-net picking my network at
random. Are there any sources of information that could help me make
I appreciate any help,
Is your PC infected? Get a FREE online computer virus scan from