Re: DDOS attacks

[Ron <iago () valhallalegends com>]

I don't have any information sources, but maybe I can make it a little 
more clear.  The IPs are likely zombie machines that have already been 
compromised, and that have the rootkit/trojan software running on them.  
It's very unlikely that they are targetting you at random, since when 
you use a DDoS net it tends to get noticed, and you tend to lose bots as 
a result.  So they only target sites that they have some problem with.

The reason I get DDoSed frequently is because my site provides a service 
to Battle.net users that prevents many from logging onto Battle.net 
while our site is down, and it makes the person feel powerful to do 
that, and he goes around bragging about how awesome he is.  Although I 
think the service we run is stupid anyway, that's another story.

The other reason I've seen people DDoS is blackmail or extortion -- "YOU 
do this for ME, or I'm going to hold down your servers".  But if you 
haven't received any demands, then likely they are doing it to prove a 
point.  Or maybe they got your address mixed up with somebody else's.

There's few things you can do to mitigate it:
- Try changing the DNS that they're targetting.  If you can point 
"www.yoursite.com" to, say, "www.fbi.gov" while the attack is going on, 
then it becomes somebody else's problem.  Of course, the DDoSer's that 
I'm familiar with are smarter than that, and go by ip.
- If they're targetting a particular service, turn it off.  An effective 
SYN flood can only take place if there are open ports.  Of course, if 
this is a web server, that's not really an option.
- Turn off/unplug the server/ip that they're targetting.  That'll save 
the rest of your network from being taken down.  The server I use has 2 
ips, a public and a private (secure and obscure).  When somebody DDoSes, 
we turn off the public one until they're done.  Of course, it wouldn't 
be hard to find the private, but it also wouldn't be hard to change it.
- Get a Firewall or IPS that can detect floods and stop them from 
entering your network.  These tend to be expensive, and, if they're 
exhausting your bandwidth anyway, not terribly effective.
- Talk to your ISP, and get them to filter out the source IPs at their 
end.  If you're dealing with a net of hundreds or thousands, that may be 
difficult.  It doesn't help that most ISPs are pretty much impossible to 
contact.  If you have this problem frequently, of course, you may end up 
with an internal contact there that you can phone directly whenever this 
happens.

I hope some of this helps.
-Ron

Brian T wrote:

> Hello List,
>
> Over recent days I have been experiencing intermitent DDOS attacks 
> that have been crushing my firewall.    The source IP addresses and 
> timing have remained relatively consistent since the problem was 
> discovered.  I would like to perform some research on these IPs to 
> better understand this attack.  Specially, I would like to know if 
> this attack is directed at me or a bot-net picking my network at 
> random.  Are there any sources of information that could help me make 
> this determination?
>
> I appreciate any help,
>
> Brian
>
> _________________________________________________________________
> Is your PC infected? Get a FREE online computer virus scan from 
> McAfee® Security. 
> http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963