|
|
|
|
06-17-2005, 03:06 AM
|
#1 |
Being DoSed?
How the HELL do I stop a DoS attack? I already banned the IP(s) i question (68.158.10.55) however, banning them doesn't help because th requests are still sent. The site hasn't gone down, but it's stil murder on the server... It's been going on for < 2 days now.... Any advice? Resolving that IP gives, Hostname: adsl-158-10-55.asm.bellsouth.net although it could be a proxy, should I contact BellSouth -- edit 2, just sent an email to bellsouth, maybe, maybe not, but hopefully, the will do soemthing -- dr.ni ----------------------------------------------------------------------- dr.nil's Profile: http://forums.techarena.in/member.php?userid=440 View this thread: http://forums.techarena.in/showthread.php?t=22992 Visit - http://forums.techarena.in/archive/index.php/ | http://www.techarena.i dr.nil |
|
|
|
06-17-2005, 03:23 AM
|
#2 |
|
Posts: n/a
|
Re: Being DoSed?
On Fri, 17 Jun 2005 07:36:58 +0530, dr.nil wrote:
> > How the HELL do I stop a DoS attack? Get the ofrending pc(s) knocked offline. > I already banned the IP(s) in > question (68.158.10.55) however, banning them doesn't help because the > requests are still sent. Yes, just like putting up a screen door, it does not stop the street noise. > Any advice? > > > Resolving that IP gives, > Hostname: adsl-158-10-55.asm.bellsouth.net mail subject DoS attacke from 68.158.10.55 X day of attack from 68.158.10.55 copy of logs follow: (todays logs) old logs I would email them every day. Bit Twister |
|
|
|
06-17-2005, 03:26 AM
|
#3 |
|
Posts: n/a
|
Re: Being DoSed?
From: "dr.nil" <>
| How the HELL do I stop a DoS attack? I already banned the IP(s) in | question (68.158.10.55) however, banning them doesn't help because the | requests are still sent. The site hasn't gone down, but it's still | murder on the server... It's been going on for < 2 days now.... | | Any advice? | | Resolving that IP gives, | Hostname: adsl-158-10-55.asm.bellsouth.net | although it could be a proxy, should I contact BellSouth -- edit 2, Ijust sent an email to | bellsouth, maybe, maybe not, but hopefully, theywill do soemthing?-- | dr.nil------------------------------------------------------------------------dr.nil's Profile: http://forums.techarena.in/member.php?userid=4402 View | this thread: http://forums.techarena.in/showthread.php?t=229927 Visit - http://forums.techarena.in/archive/index.php/ | http://www.techarena.in Use a Broadband Router and set the security settings to their highest level so it doesn't look like there is anything active behind the IP address. If you have FireWall logs to show that you are the target of a DoS attack then yes, submit the logs to BellSouth's abuse/security address. In actuality, rarely are residential IP addresses the subject of a DoS attack. * At least this post was On Topic ! * -- Dave http://www.claymania.com/removal-trojan-adware.html http://www.ik-cs.com/got-a-virus.htm David H. Lipman |
|
|
|
06-17-2005, 08:39 AM
|
#4 |
|
Posts: n/a
|
Re: Being DoSed?
On Fri, 17 Jun 2005 07:36:58 +0530, dr.nil
<> wrote: > >How the HELL do I stop a DoS attack? I already banned the IP(s) in >question (68.158.10.55) however, banning them doesn't help because the >requests are still sent. The site hasn't gone down, but it's still >murder on the server... It's been going on for < 2 days now.... > >Any advice? > > >Resolving that IP gives, >Hostname: adsl-158-10-55.asm.bellsouth.net >although it could be a proxy, should I contact BellSouth -- edit 2, I >just sent an email to bellsouth, maybe, maybe not, but hopefully, they >will do soemthing? Last time I had an issue with bellsouth they proved very deaf, although I managed to get them to forward me all round the company incoming on their 800 number. They ignored email totally. -- Jim Watt http://www.gibnet.com Jim Watt |
|
|
|
06-17-2005, 02:54 PM
|
#5 |
|
Posts: n/a
|
Re: Being DoSed?
David H. Lipman Wrote: > From: "dr.nil" <> > > | How the HELL do I stop a DoS attack? I already banned the IP(s) in > | question (68.158.10.55) however, banning them doesn't help becaus > the > | requests are still sent. The site hasn't gone down, but it's still > | murder on the server... It's been going on for < 2 days now.... > | > | Any advice? > | > | Resolving that IP gives, > | Hostname: adsl-158-10-55.asm.bellsouth.net > | although it could be a proxy, should I contact BellSouth -- edit 2 > Ijust sent an email to > | bellsouth, maybe, maybe not, but hopefully, theywill do soemthing?-- > > dr.nil------------------------------------------------------------------------dr.nil's > Profile: http://forums.techarena.in/member.php?userid=4402 View > | this thread: http://forums.techarena.in/showthread.php?t=229927 Visi > - > http://forums.techarena.in/archive/index.php/ > http://www.techarena.in > > Use a Broadband Router and set the security settings to their highes > level so it doesn't > look like there is anything active behind the IP address. If you hav > FireWall logs to show > that you are the target of a DoS attack then yes, submit the logs t > BellSouth's > abuse/security address. In actuality, rarely are residential I > addresses the subject of a > DoS attack. > > * At least this post was On Topic ! * > > -- > Dave > http://www.claymania.com/removal-trojan-adware.html > http://www.ik-cs.com/got-a-virus.htmsorry for being offtopic David and thanks for your helpful message. Please pardon me as I am new here. Thanks -- dr.ni ----------------------------------------------------------------------- dr.nil's Profile: http://forums.techarena.in/member.php?userid=440 View this thread: http://forums.techarena.in/showthread.php?t=22992 Visit - http://forums.techarena.in/archive/index.php/ | http://www.techarena.i dr.nil |
|
|
|
06-17-2005, 03:32 PM
|
#6 |
|
Posts: n/a
|
Re: Being DoSed?
dr.nil wrote:
> Please pardon me as I am new here. > > Thanks. Its also worth talking to your upstream provider (isp). They be helpful and block it at their gateway router. -- Chris Salter Chris Salter |
|
|
|
06-18-2005, 02:21 AM
|
#7 |
|
Posts: n/a
|
Re: Being DoSed?
In the Usenet newsgroup alt.computer.security, in article
<>, dr.nil wrote: >How the HELL do I stop a DoS attack? I already banned the IP(s) in >question (68.158.10.55) however, banning them doesn't help because the >requests are still sent. "the requests are still sent" What is that supposed to mean? Is your system infected and therefore causing the problem? >Resolving that IP gives, >Hostname: adsl-158-10-55.asm.bellsouth.net >although it could be a proxy, should I contact BellSouth BellSouth is about as competent as VSNL. If you have no reason to connect to them, simply block it. [compton ~]$ grep -i bellsouth address.blocks | awk '{ print $1" "$2" " $3 }' | column 65.0.0.0 - 65.15.255.255 68.208.0.0 - 68.223.255.255 65.80.0.0 - 65.83.255.255 205.152.0.0 - 205.152.255.255 66.20.0.0 - 66.21.255.255 208.60.0.0 - 208.63.255.255 66.156.0.0 - 66.157.255.255 209.214.0.0 - 209.215.255.255 68.16.0.0 - 68.19.255.255 216.76.0.0 - 216.79.255.255 68.152.0.0 - 68.159.255.255 [compton ~]$ That's probably not all of their space, but it's a good start. Old guy Moe Trin |
|
|
|
07-02-2005, 11:45 PM
|
#8 |
|
Posts: n/a
|
Re: Being DoSed?
Moe Trin <> wrote:
> In the Usenet newsgroup alt.computer.security, in article > <>, dr.nil wrote: > >>How the HELL do I stop a DoS attack? I already banned the IP(s) in >>question (68.158.10.55) however, banning them doesn't help because the >>requests are still sent. > > "the requests are still sent" What is that supposed to mean? Is your > system infected and therefore causing the problem? I presume it means incoming bandwidth is still being chewed up? If sufficient bandwidth is consumed, the server will be unreachable - even if all the packets are dropped... Getting your own ISP to re-route this IP to /dev/null would probably be the best (immediate) solution, as mentioned earlier. Joachim Joachim Schipper |
|
|
|
07-03-2005, 11:42 PM
|
#9 |
|
Posts: n/a
|
Re: Being DoSed?
In the Usenet newsgroup alt.computer.security, in article
<42c718f5$0$29524$>, Joachim Schipper wrote: >Moe Trin <> wrote: >> In the Usenet newsgroup alt.computer.security, in article >> <>, dr.nil wrote: Getting a little behind on the reading? That thread was 16 days ago. >>>How the HELL do I stop a DoS attack? I already banned the IP(s) in >>>question (68.158.10.55) however, banning them doesn't help because the >>>requests are still sent. My inference was that he had a firewall entry to block the bellsouth address. However there was no information of the protocol involved. An ICMP echo request, or UDP packed would still consume bandwidth, while TCP would be blocked. >> "the requests are still sent" What is that supposed to mean? Is your >> system infected and therefore causing the problem? > >I presume it means incoming bandwidth is still being chewed up? It could also be log space - many firewalls are configured to log all blocks to that you can see what a brave little firewall it is, doing it's job of defending freedo.... Sorry, got carried away there. The other interpretation could be that his computer was infected, and was trying to send requests to the bellsouth address. Really, there wasn't enough detail to identify it either way. >If sufficient bandwidth is consumed, the server will be unreachable - even >if all the packets are dropped... Agreed >Getting your own ISP to re-route this IP to /dev/null would probably be >the best (immediate) solution, as mentioned earlier. We use port translation on UDP, so that our outgoing UDP packets (mainly DNS) are shifted out of the range 1025 to 1200. This allows our upstream to drop inbound UDP to that range - getting rid of windoze messenger spams. ICMP is selectively filtered as well. As far as bellsouth is concerned, the bottom of my post listed 3.3 million addresses that might have trouble reaching us. We don't seem to be missing anything, so maybe it's a good thing. Old guy Moe Trin |
|
|
|
07-05-2005, 08:20 PM
|
#10 |
|
Posts: n/a
|
Re: Being DoSed?
Moe Trin <> wrote:
> In the Usenet newsgroup alt.computer.security, in article > <42c718f5$0$29524$>, Joachim Schipper wrote: >>Moe Trin <> wrote: >>> In the Usenet newsgroup alt.computer.security, in article >>> <>, dr.nil wrote: > > Getting a little behind on the reading? That thread was 16 days ago. Ooopsie. Sorry, should have checked that beforehand. I ran out of recent threads, really... > It could also be log space - many firewalls are configured to log all > blocks to that you can see what a brave little firewall it is, doing > it's job of defending freedo.... Sorry, got carried away there. > The other interpretation could be that his computer was infected, and > was trying to send requests to the bellsouth address. Really, there > wasn't enough detail to identify it either way. That's true. And I agree that logging everything tends towards the excessive. Then again, what *should* be logged? I'm leaning to turning off firewall logging and let Snort sort out the incoming mess, but that has it's own problems (performance can be easily degraded, Snort isn't 100% safe itself - keep in mind it will almost certainly be installed on a border machine - keeping Snort rules up to date is a pain, and firewall logs tend to contain stuff that Snort will miss). >>Getting your own ISP to re-route this IP to /dev/null would probably be >>the best (immediate) solution, as mentioned earlier. > > We use port translation on UDP, so that our outgoing UDP packets (mainly > DNS) are shifted out of the range 1025 to 1200. This allows our upstream > to drop inbound UDP to that range - getting rid of windoze messenger > spams. ICMP is selectively filtered as well. Neat trick. That one's going into my book. Shouldn't be too hard to implement. Joachim Joachim Schipper |
|
|
