Security Incidents: RE: DoS attack... what to do?

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

RE: DoS attack... what to do?

From: "Craig Skelton" <craig () craigskelton com>
Date: Tue, 4 Jan 2005 21:33:17 -0800

Actually, many ISPs are not terribly happy to "work with you", as "their
time" is a resource just as much as their bandwidth is, and this often
requires the attention of the most senior people. Customers who repeatedly
get DoS'd often find themselves invited to take their business elsewhere.


Many ISP's also lack the gear to do much anyway, even if they could. Placing
10,000 hosts into an ACL is never a particularly fun idea, but they should
be able to use CARS or some type of shaping to limit your exposure. I've
done similar things (mostly always IRC related). If they have big iron, then
they should be able to do layer 3 filtering or routemaps.

Now the question is: Who did you piss off?


Do you own any of the domains listed? I assume you've looked some of them
up? I added one to the bottom of this email; you might garner a clue as to
who is involved by speaking to these people. 

Just for fun, do what others have suggested and sniff the traffic. Tcpdump
will even work. Find out if its IRC traffic by any chance. Who knows,
perhaps you've got a botnet? 

Anyway, simple requests to the isp are the best. Things like "please block
port x to ip x.x.x.x. None of the traffic to that port is legitimate."

Whois to follow:

----SNIP--- 
Visit: http://www.RegisterFly.com

        
Domain name: elite-coders.org



Registrant Contact:

   
   elite mirc (webmaster () codemsn net)

   +1.1457836598

   Fax: 

   345manchester

   manchester

   ashton, AK ol59hd

   


Administrative Contact:

   
   elite mirc (webmaster () codemsn net)

   +1.1457836598

   Fax: 

   345manchester

   manchester

   ashton, AK ol59hd

   


Technical Contact:

   
   elite mirc (webmaster () codemsn net)

   +1.1457836598

   Fax: 

   345manchester

   manchester

   ashton, AK ol59hd

   


Billing Contact:

   
   elite mirc (webmaster () codemsn net)

   +1.1457836598

   Fax: 

   345manchester

   manchester

   ashton, AK ol59hd

   


Status: Active



Name Servers:

   ns1.nexhost.org

   ns2.nexhost.org

   
Creation date: 08 Feb 2004 16:39:53

Expiration date: 08 Feb 2005 16:39:53

By Date By Thread

Current thread:

Re: DoS attack... what to do?, (continued)
- Re: DoS attack... what to do? Mark C (Jan 04)
  - Re: DoS attack... what to do? Bernie Cosell (Jan 04)
    - Re: DoS attack... what to do? Jose Nazario (Jan 05)
- RE: DoS attack... what to do? Shaffer, Bruce (Jan 04)
  - Re: DoS attack... what to do? Steve Friedl (Jan 04)
    - RE: DoS attack... what to do? Craig Skelton (Jan 05)
    - Re: DoS attack... what to do? Alvin Oga (Jan 05)
    - Re: DoS attack... what to do? Valdis . Kletnieks (Jan 07)
    - Re: DoS attack... what to do? Paul Laudanski (Jan 05)
    - Re: DoS attack... what to do? easternerd (Jan 13)
- RE: DoS attack... what to do? Drumm, Daniel (Jan 05)