Security Incidents: RE: DoS attack... what to do?

["Shaffer, Bruce" <BShaffer () PRAC com>]

Try contacting your ISP and explaining the situation.  Most ISPs have
experience by this time in dealing with DDoS at their perimeter.  You can
also use them to find out who is up-stream from them and then contact those
ISPs as well.

About the only thing you can do for a DDoS is to work with your ISP to
control things on his net.  They should be more than happy to work with you
as this affects their performance and resources including their SLAs.

I'm not sure what abuse () isp com is going to do for you.  10 will get you 20
someone is using a botnet against you.

Now the question is: Who did you piss off?
-B-

-----Original Message-----
From: Nigel Kukard [mailto:nkukard () lbsd net] 
Sent: Tuesday, January 04, 2005 2:41 PM
To: incidents () securityfocus com
Subject: DoS attack... what to do?

Hi Guys,

Here is the situation...

I have a dedicated server at ISP X, about 1 week after I signed up for 
the service I received a DoS attack against my DNS service... the attack 
came from over 10,000 IP addresses and tried to resolve the following 
domain names...

leet.nexhost.org
ns1.nexhost.org
ns2.nexhost.org
floop.m33pm33p.info
irc.k1hosting.net
b0tn3t.elite-coders.org


I thought i would be clever and changed root.cache on my named service 
to resolve all dns queries to 127.0.0.1, this seems to of worked for 
about 1hr. Next I get even more attacks on port 5556 which I don't even 
use and basically by default drop everything to that port.

I have sent off abuse reports for over 10,000 IP's, grouping them by ISP 
and sending 1 email per ISP.....

What to do? I've got a constant 200Kbps of traffic, and its kinda 
bugging me...

Any help would greatly be appreciated.  (btw, netsky.V uses port 5556)


Regards
Nigel Kukard