Security Incidents mailing list archives
Re: DoS attack... what to do?
From: Mark C <markc () uniontown com>
Date: Tue, 04 Jan 2005 16:44:59 -0500
Here's what I'd do:1) Netsky's 5556 is TCP, so I'd fire up netcat or something and see if actual 3-way handshakes happen. If yes, then it's much less likely that it's someone out in the world spoof SYNflooding you. If no, then I'd treat this as a SYNflood and trace backwards through the ISP, you'll probably find it's coming from far fewer sources than you think.
Note that DNS is typically UDP so this trick won't work there.2) Can you ask your ISP to change your address? Do you think you are being targeted, or could you have been assigned an IP address of someone else who was hated previously? Maybe this is legitimate traffic for the previous address owner?
3) If #1 shows actual connections, then I'd try to trace backwards to try to find a single infected machine, identify which domain it's resolving to get your IP address, and then campaign with the registrar or owner of that DNS to make it not point to you any longer. This could stop the world's traffic from heading your way if it's a virus coded to hit a certain (misconfigured?) domain.
-Mark Coleman Nigel Kukard wrote:
Hi Guys, Here is the situation...I have a dedicated server at ISP X, about 1 week after I signed up for the service I received a DoS attack against my DNS service... the attack came from over 10,000 IP addresses and tried to resolve the following domain names...leet.nexhost.org ns1.nexhost.org ns2.nexhost.org floop.m33pm33p.info irc.k1hosting.net b0tn3t.elite-coders.orgI thought i would be clever and changed root.cache on my named service to resolve all dns queries to 127.0.0.1, this seems to of worked for about 1hr. Next I get even more attacks on port 5556 which I don't even use and basically by default drop everything to that port.I have sent off abuse reports for over 10,000 IP's, grouping them by ISP and sending 1 email per ISP.....What to do? I've got a constant 200Kbps of traffic, and its kinda bugging me...Any help would greatly be appreciated. (btw, netsky.V uses port 5556) Regards Nigel Kukard
Current thread:
- DoS attack... what to do? Nigel Kukard (Jan 04)
- Re: DoS attack... what to do? falcon (Jan 04)
- Re: DoS attack... what to do? Faisal Khan (Jan 04)
- Re: DoS attack... what to do? Mark C (Jan 04)
- Re: DoS attack... what to do? Bernie Cosell (Jan 04)
- Re: DoS attack... what to do? Jose Nazario (Jan 05)
- Re: DoS attack... what to do? Bernie Cosell (Jan 04)
- <Possible follow-ups>
- RE: DoS attack... what to do? Shaffer, Bruce (Jan 04)
- Re: DoS attack... what to do? Steve Friedl (Jan 04)
- RE: DoS attack... what to do? Craig Skelton (Jan 05)
- Re: DoS attack... what to do? Alvin Oga (Jan 05)
- Re: DoS attack... what to do? Valdis . Kletnieks (Jan 07)
- Re: DoS attack... what to do? Paul Laudanski (Jan 05)
- Re: DoS attack... what to do? easternerd (Jan 13)
- Re: DoS attack... what to do? Steve Friedl (Jan 04)