Re: Request for contact and procedure information

[Jon Kibler <Jon.Kibler () aset com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jon Kibler wrote:
> Charles Wyble wrote:
> > All,
>
> > I'm currently experiencing a DDOS attack on my home DSL connection.
>
> > Thousands of requests to port 80.
>
> > I'm on an SBC business class account.
>
> > I'm guessing that calling the regular customer support won't get me
> > anywhere.
>
> > Any suggestions?
>
> Okay, this is going to sound REALLY lame, but IMHO it may be your best bet to
> get action from SBC:
>
>    1) File a police report with your local law enforcement agency and (CRITICAL)
> get a case number. (You should have well documented when the attack started,
> too. If asked why you waited so long to report it, explain that you were not
> familiar with procedures. You may also be asked what you have that someone wants
> to attack. "I don't know" is an acceptable answer, if that is the truth.) When
> local law enforcement completes taking the report, request that your local law
> enforcement escalate the case to the local/regional FBI office (specifically
> mention InfraGuard).
>
>    2) Call your local FBI office and ask to speak to the InfraGuard coordinator.
> (If it is a small office, they may refer you to your regional office.) Tell them
> you are being DDOSed, that you have filed a report with local law enforcement
> (give them agency and case number), tell them who is your ISP and contact
> information, and tell them ISP has been uncooperative at resolution. Ask them
> can they please help -- at a minimum, can they contact the ISP and get them to
> start null routing DDOS traffic.
>
> Just out of curiosity, do you have any traffic capture? If so, what type of
> attack is it? SYN flood, Apache instance starvation, etc.?
>
> You may want to do some packet capture for hand-over to law enforcement.
>
> I know this sounds lame, but I also CONSTANTLY hear from InfraGuard that they
> want to be informed of these types of attacks, and they will help when resources
> permit.
>
> Don't expect miracles. But it is better than nothing.
>
> Finally, document, document, document!!!
>
> Jon


I hate to reply to my own email... but as soon as I hit "SEND", I realized I
left off something important...

You said you have Business Class DSL. Is this for a business? If so, have your
lawyer contact SBC. S/he should request to talk with the department manager for
small business services. That, too, may help get action. Be sure to provide
him/her with written documentation on everything you can regarding the attack.
The more information that s/he has, the better to beat up on SBC with.

Finally, what does your TOS/SLA say about DDoS? Most have something to say about
ISP liability in the mitigation of such attacks.

GOOD LUCK!

Jon
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
c: 843-813-2924 (NEW!)
s: 843-564-4224
http://www.linkedin.com/in/jonrkibler

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkpWvU0ACgkQUVxQRc85QlO21wCffh5vK5V39ffWJGZPgoA4a9ii
RpcAnjdVCx4l693Pw6vYz58xjZt//Cdx
=UTXU
-----END PGP SIGNATURE-----




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.