Being DoSed?

Discussion in 'Computer Security' started by dr.nil, Jun 17, 2005.

  1. dr.nil

    dr.nil Guest

    How the HELL do I stop a DoS attack? I already banned the IP(s) i
    question (68.158.10.55) however, banning them doesn't help because th
    requests are still sent. The site hasn't gone down, but it's stil
    murder on the server... It's been going on for < 2 days now....

    Any advice?


    Resolving that IP gives,
    Hostname: adsl-158-10-55.asm.bellsouth.net
    although it could be a proxy, should I contact BellSouth -- edit 2,
    just sent an email to bellsouth, maybe, maybe not, but hopefully, the
    will do soemthing

    --
    dr.ni
    -----------------------------------------------------------------------
    dr.nil's Profile: http://forums.techarena.in/member.php?userid=440
    View this thread: http://forums.techarena.in/showthread.php?t=22992
    Visit - http://forums.techarena.in/archive/index.php/ | http://www.techarena.i
    dr.nil, Jun 17, 2005
    #1
    1. Advertising

  2. dr.nil

    Bit Twister Guest

    On Fri, 17 Jun 2005 07:36:58 +0530, dr.nil wrote:
    >
    > How the HELL do I stop a DoS attack?


    Get the ofrending pc(s) knocked offline.

    > I already banned the IP(s) in
    > question (68.158.10.55) however, banning them doesn't help because the
    > requests are still sent.


    Yes, just like putting up a screen door, it does not stop
    the street noise.

    > Any advice?
    >
    >
    > Resolving that IP gives,
    > Hostname: adsl-158-10-55.asm.bellsouth.net


    mail subject DoS attacke from 68.158.10.55

    X day of attack from 68.158.10.55
    copy of logs follow:
    (todays logs)
    old logs


    I would email them every day.
    Bit Twister, Jun 17, 2005
    #2
    1. Advertising

  3. From: "dr.nil" <>

    | How the HELL do I stop a DoS attack? I already banned the IP(s) in
    | question (68.158.10.55) however, banning them doesn't help because the
    | requests are still sent. The site hasn't gone down, but it's still
    | murder on the server... It's been going on for < 2 days now....
    |
    | Any advice?
    |
    | Resolving that IP gives,
    | Hostname: adsl-158-10-55.asm.bellsouth.net
    | although it could be a proxy, should I contact BellSouth -- edit 2, Ijust sent an email to
    | bellsouth, maybe, maybe not, but hopefully, theywill do soemthing?--
    | dr.nil------------------------------------------------------------------------dr.nil's
    Profile: http://forums.techarena.in/member.php?userid=4402 View
    | this thread: http://forums.techarena.in/showthread.php?t=229927 Visit -
    http://forums.techarena.in/archive/index.php/ | http://www.techarena.in

    Use a Broadband Router and set the security settings to their highest level so it doesn't
    look like there is anything active behind the IP address. If you have FireWall logs to show
    that you are the target of a DoS attack then yes, submit the logs to BellSouth's
    abuse/security address. In actuality, rarely are residential IP addresses the subject of a
    DoS attack.

    * At least this post was On Topic ! *

    --
    Dave
    http://www.claymania.com/removal-trojan-adware.html
    http://www.ik-cs.com/got-a-virus.htm
    David H. Lipman, Jun 17, 2005
    #3
  4. dr.nil

    Jim Watt Guest

    On Fri, 17 Jun 2005 07:36:58 +0530, dr.nil
    <> wrote:

    >
    >How the HELL do I stop a DoS attack? I already banned the IP(s) in
    >question (68.158.10.55) however, banning them doesn't help because the
    >requests are still sent. The site hasn't gone down, but it's still
    >murder on the server... It's been going on for < 2 days now....
    >
    >Any advice?
    >
    >
    >Resolving that IP gives,
    >Hostname: adsl-158-10-55.asm.bellsouth.net
    >although it could be a proxy, should I contact BellSouth -- edit 2, I
    >just sent an email to bellsouth, maybe, maybe not, but hopefully, they
    >will do soemthing?


    Last time I had an issue with bellsouth they proved very
    deaf, although I managed to get them to forward me all
    round the company incoming on their 800 number.

    They ignored email totally.
    --
    Jim Watt
    http://www.gibnet.com
    Jim Watt, Jun 17, 2005
    #4
  5. dr.nil

    dr.nil Guest

    David H. Lipman Wrote:
    > From: "dr.nil" <>
    >
    > | How the HELL do I stop a DoS attack? I already banned the IP(s) in
    > | question (68.158.10.55) however, banning them doesn't help becaus
    > the
    > | requests are still sent. The site hasn't gone down, but it's still
    > | murder on the server... It's been going on for < 2 days now....
    > |
    > | Any advice?
    > |
    > | Resolving that IP gives,
    > | Hostname: adsl-158-10-55.asm.bellsouth.net
    > | although it could be a proxy, should I contact BellSouth -- edit 2
    > Ijust sent an email to
    > | bellsouth, maybe, maybe not, but hopefully, theywill do soemthing?--
    >
    > dr.nil------------------------------------------------------------------------dr.nil's
    > Profile: http://forums.techarena.in/member.php?userid=4402 View
    > | this thread: http://forums.techarena.in/showthread.php?t=229927 Visi
    > -
    > http://forums.techarena.in/archive/index.php/
    > http://www.techarena.in
    >
    > Use a Broadband Router and set the security settings to their highes
    > level so it doesn't
    > look like there is anything active behind the IP address. If you hav
    > FireWall logs to show
    > that you are the target of a DoS attack then yes, submit the logs t
    > BellSouth's
    > abuse/security address. In actuality, rarely are residential I
    > addresses the subject of a
    > DoS attack.
    >
    > * At least this post was On Topic ! *
    >
    > --
    > Dave
    > http://www.claymania.com/removal-trojan-adware.html
    > http://www.ik-cs.com/got-a-virus.htmsorry for being offtopic David and thanks for your helpful message.


    Please pardon me as I am new here.

    Thanks

    --
    dr.ni
    -----------------------------------------------------------------------
    dr.nil's Profile: http://forums.techarena.in/member.php?userid=440
    View this thread: http://forums.techarena.in/showthread.php?t=22992
    Visit - http://forums.techarena.in/archive/index.php/ | http://www.techarena.i
    dr.nil, Jun 17, 2005
    #5
  6. dr.nil

    Chris Salter Guest

    dr.nil wrote:

    > Please pardon me as I am new here.
    >
    > Thanks.


    Its also worth talking to your upstream provider (isp). They be helpful
    and block it at their gateway router.

    --
    Chris Salter
    Chris Salter, Jun 17, 2005
    #6
  7. dr.nil

    Moe Trin Guest

    In the Usenet newsgroup alt.computer.security, in article
    <>, dr.nil wrote:

    >How the HELL do I stop a DoS attack? I already banned the IP(s) in
    >question (68.158.10.55) however, banning them doesn't help because the
    >requests are still sent.


    "the requests are still sent" What is that supposed to mean? Is your
    system infected and therefore causing the problem?

    >Resolving that IP gives,
    >Hostname: adsl-158-10-55.asm.bellsouth.net
    >although it could be a proxy, should I contact BellSouth


    BellSouth is about as competent as VSNL. If you have no reason to
    connect to them, simply block it.

    [compton ~]$ grep -i bellsouth address.blocks | awk '{ print $1" "$2" " $3
    }' | column
    65.0.0.0 - 65.15.255.255 68.208.0.0 - 68.223.255.255
    65.80.0.0 - 65.83.255.255 205.152.0.0 - 205.152.255.255
    66.20.0.0 - 66.21.255.255 208.60.0.0 - 208.63.255.255
    66.156.0.0 - 66.157.255.255 209.214.0.0 - 209.215.255.255
    68.16.0.0 - 68.19.255.255 216.76.0.0 - 216.79.255.255
    68.152.0.0 - 68.159.255.255
    [compton ~]$

    That's probably not all of their space, but it's a good start.

    Old guy
    Moe Trin, Jun 18, 2005
    #7
  8. Moe Trin <> wrote:
    > In the Usenet newsgroup alt.computer.security, in article
    > <>, dr.nil wrote:
    >
    >>How the HELL do I stop a DoS attack? I already banned the IP(s) in
    >>question (68.158.10.55) however, banning them doesn't help because the
    >>requests are still sent.

    >
    > "the requests are still sent" What is that supposed to mean? Is your
    > system infected and therefore causing the problem?


    I presume it means incoming bandwidth is still being chewed up? If
    sufficient bandwidth is consumed, the server will be unreachable - even
    if all the packets are dropped...

    Getting your own ISP to re-route this IP to /dev/null would probably be
    the best (immediate) solution, as mentioned earlier.

    Joachim
    Joachim Schipper, Jul 2, 2005
    #8
  9. dr.nil

    Moe Trin Guest

    In the Usenet newsgroup alt.computer.security, in article
    <42c718f5$0$29524$>, Joachim Schipper wrote:
    >Moe Trin <> wrote:
    >> In the Usenet newsgroup alt.computer.security, in article
    >> <>, dr.nil wrote:


    Getting a little behind on the reading? That thread was 16 days ago.

    >>>How the HELL do I stop a DoS attack? I already banned the IP(s) in
    >>>question (68.158.10.55) however, banning them doesn't help because the
    >>>requests are still sent.


    My inference was that he had a firewall entry to block the bellsouth
    address. However there was no information of the protocol involved. An
    ICMP echo request, or UDP packed would still consume bandwidth, while
    TCP would be blocked.

    >> "the requests are still sent" What is that supposed to mean? Is your
    >> system infected and therefore causing the problem?

    >
    >I presume it means incoming bandwidth is still being chewed up?


    It could also be log space - many firewalls are configured to log all
    blocks to that you can see what a brave little firewall it is, doing
    it's job of defending freedo.... Sorry, got carried away there.
    The other interpretation could be that his computer was infected, and
    was trying to send requests to the bellsouth address. Really, there
    wasn't enough detail to identify it either way.

    >If sufficient bandwidth is consumed, the server will be unreachable - even
    >if all the packets are dropped...


    Agreed

    >Getting your own ISP to re-route this IP to /dev/null would probably be
    >the best (immediate) solution, as mentioned earlier.


    We use port translation on UDP, so that our outgoing UDP packets (mainly
    DNS) are shifted out of the range 1025 to 1200. This allows our upstream
    to drop inbound UDP to that range - getting rid of windoze messenger
    spams. ICMP is selectively filtered as well. As far as bellsouth is
    concerned, the bottom of my post listed 3.3 million addresses that
    might have trouble reaching us. We don't seem to be missing anything, so
    maybe it's a good thing.

    Old guy
    Moe Trin, Jul 3, 2005
    #9
  10. Moe Trin <> wrote:
    > In the Usenet newsgroup alt.computer.security, in article
    > <42c718f5$0$29524$>, Joachim Schipper wrote:
    >>Moe Trin <> wrote:
    >>> In the Usenet newsgroup alt.computer.security, in article
    >>> <>, dr.nil wrote:

    >
    > Getting a little behind on the reading? That thread was 16 days ago.


    Ooopsie. Sorry, should have checked that beforehand.

    I ran out of recent threads, really...

    > It could also be log space - many firewalls are configured to log all
    > blocks to that you can see what a brave little firewall it is, doing
    > it's job of defending freedo.... Sorry, got carried away there.
    > The other interpretation could be that his computer was infected, and
    > was trying to send requests to the bellsouth address. Really, there
    > wasn't enough detail to identify it either way.


    That's true.

    And I agree that logging everything tends towards the excessive. Then
    again, what *should* be logged? I'm leaning to turning off firewall
    logging and let Snort sort out the incoming mess, but that has it's own
    problems (performance can be easily degraded, Snort isn't 100% safe
    itself - keep in mind it will almost certainly be installed on a border
    machine - keeping Snort rules up to date is a pain, and firewall logs
    tend to contain stuff that Snort will miss).

    >>Getting your own ISP to re-route this IP to /dev/null would probably be
    >>the best (immediate) solution, as mentioned earlier.

    >
    > We use port translation on UDP, so that our outgoing UDP packets (mainly
    > DNS) are shifted out of the range 1025 to 1200. This allows our upstream
    > to drop inbound UDP to that range - getting rid of windoze messenger
    > spams. ICMP is selectively filtered as well.


    Neat trick. That one's going into my book. Shouldn't be too hard to
    implement.

    Joachim
    Joachim Schipper, Jul 5, 2005
    #10
  11. dr.nil

    Moe Trin Guest

    In the Usenet newsgroup alt.computer.security, in article
    <42cadd5f$0$86120$>, Joachim Schipper wrote:
    >Moe Trin <> wrote:


    >> Getting a little behind on the reading? That thread was 16 days ago.

    >
    >Ooopsie. Sorry, should have checked that beforehand.


    The real problem is that the O/P is long gone, and probably won't see
    your response.

    >And I agree that logging everything tends towards the excessive.


    You see it all the time - someone posting that their firewall blocked
    some "attack" from here or there, and sorta asking what to do next.
    For the "home" or "SOHO" user, who is frequently using some toy firewall,
    and doesn't understand it anyway, the default 'log everything' and 'warn
    me when there is something happening' is wasting disk space and CPU
    cycles to no avail. If the firewall blocked it - fine - get on with life
    and stop bothering me with line noise.

    >Then again, what *should* be logged?


    The important stuff, naturally. ;-) Generally speaking, once you have
    the firewall up and running, and those applications and services that you
    need to use are working without interference from the firewall, then the
    logging should be cut back to a minimum - we log logins (failed as well
    as good) to a log server _AND_ a printer, but that's about it.

    >I'm leaning to turning off firewall logging and let Snort sort out the
    >incoming mess, but that has it's own problems (performance can be easily
    >degraded, Snort isn't 100% safe itself - keep in mind it will almost
    >certainly be installed on a border machine - keeping Snort rules up to
    >date is a pain, and firewall logs tend to contain stuff that Snort will
    >miss).


    I'm under NDA, so I can't be specific, but yes, we run several instances
    of Snort on "listen only" systems.

    [UDP port translation to avoid messenger spam]

    >Neat trick. That one's going into my book. Shouldn't be too hard to
    >implement.


    We put that in place quite a while ago, when we noticed traffic problems
    clogging the wires. Literally anything you do other than dropping the
    traffic at your upstream is going to be a waste of bandwidth. The port
    translation is to allow DNS to work, should a host make a query to an
    outside host and happen to use a source port in that range. We had
    tried blocking UDP not to/from port 53, but noted that at least one
    spam site was sourcing messenger spam from port 53 on his box. The port
    translation stopped that easily.

    Old guy
    Moe Trin, Jul 7, 2005
    #11
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?dGhlIGJyYWQ=?=

    Being kicked off every 5 min...

    =?Utf-8?B?dGhlIGJyYWQ=?=, Aug 8, 2004, in forum: Wireless Networking
    Replies:
    1
    Views:
    695
  2. Themus
    Replies:
    1
    Views:
    749
  3. =?Utf-8?B?Qm9iIFM=?=

    Internal wireless network card not being recognized

    =?Utf-8?B?Qm9iIFM=?=, Jan 19, 2005, in forum: Wireless Networking
    Replies:
    2
    Views:
    739
    =?Utf-8?B?am9obg==?=
    Jan 20, 2005
  4. silvus

    strongest AP not being chosen

    silvus, Mar 7, 2005, in forum: Wireless Networking
    Replies:
    1
    Views:
    598
    Chris Gual [MSFT]
    Mar 7, 2005
  5. =?Utf-8?B?dHJpcHB3d2Y=?=

    Can I block specific networks from being detected

    =?Utf-8?B?dHJpcHB3d2Y=?=, May 13, 2005, in forum: Wireless Networking
    Replies:
    6
    Views:
    657
    Jerry Peterson[MSFT]
    May 31, 2005
Loading...

Share This Page