Security Incidents mailing list archives
RE: DoS attack... what to do?
From: "Craig Skelton" <craig () craigskelton com>
Date: Tue, 4 Jan 2005 21:33:17 -0800
Actually, many ISPs are not terribly happy to "work with you", as "their time" is a resource just as much as their bandwidth is, and this often requires the attention of the most senior people. Customers who repeatedly get DoS'd often find themselves invited to take their business elsewhere.
Many ISP's also lack the gear to do much anyway, even if they could. Placing 10,000 hosts into an ACL is never a particularly fun idea, but they should be able to use CARS or some type of shaping to limit your exposure. I've done similar things (mostly always IRC related). If they have big iron, then they should be able to do layer 3 filtering or routemaps.
Now the question is: Who did you piss off?
Do you own any of the domains listed? I assume you've looked some of them up? I added one to the bottom of this email; you might garner a clue as to who is involved by speaking to these people. Just for fun, do what others have suggested and sniff the traffic. Tcpdump will even work. Find out if its IRC traffic by any chance. Who knows, perhaps you've got a botnet? Anyway, simple requests to the isp are the best. Things like "please block port x to ip x.x.x.x. None of the traffic to that port is legitimate." Whois to follow: ----SNIP--- Visit: http://www.RegisterFly.com Domain name: elite-coders.org Registrant Contact: elite mirc (webmaster () codemsn net) +1.1457836598 Fax: 345manchester manchester ashton, AK ol59hd Administrative Contact: elite mirc (webmaster () codemsn net) +1.1457836598 Fax: 345manchester manchester ashton, AK ol59hd Technical Contact: elite mirc (webmaster () codemsn net) +1.1457836598 Fax: 345manchester manchester ashton, AK ol59hd Billing Contact: elite mirc (webmaster () codemsn net) +1.1457836598 Fax: 345manchester manchester ashton, AK ol59hd Status: Active Name Servers: ns1.nexhost.org ns2.nexhost.org Creation date: 08 Feb 2004 16:39:53 Expiration date: 08 Feb 2005 16:39:53
Current thread:
- DoS attack... what to do? Nigel Kukard (Jan 04)
- Re: DoS attack... what to do? falcon (Jan 04)
- Re: DoS attack... what to do? Faisal Khan (Jan 04)
- Re: DoS attack... what to do? Mark C (Jan 04)
- Re: DoS attack... what to do? Bernie Cosell (Jan 04)
- Re: DoS attack... what to do? Jose Nazario (Jan 05)
- Re: DoS attack... what to do? Bernie Cosell (Jan 04)
- <Possible follow-ups>
- RE: DoS attack... what to do? Shaffer, Bruce (Jan 04)
- Re: DoS attack... what to do? Steve Friedl (Jan 04)
- RE: DoS attack... what to do? Craig Skelton (Jan 05)
- Re: DoS attack... what to do? Alvin Oga (Jan 05)
- Re: DoS attack... what to do? Valdis . Kletnieks (Jan 07)
- Re: DoS attack... what to do? Paul Laudanski (Jan 05)
- Re: DoS attack... what to do? easternerd (Jan 13)
- Re: DoS attack... what to do? Steve Friedl (Jan 04)