Thread: Gay DoS attack need help

  1. #1
    Registered User
    Join Date
    Aug 2001
    Posts
    58

    Gay DoS attack need help

    aight, here's the deal, some dumbass "hacker" (as he prolly calls him self) flooded my server this evening. Is there a way to prevent this? some how to stop the 1,000,000 packets being sent to my computer? i'll post the little kid's IP address when i get a chance. He's prolly only 9.

  2. #2
    Unregistered
    Guest
    well it depends... he might not be a little 9 year old especailly if he wrote his own DOS client and i he has any shrew of inteligence he will be using a slave computer so posting the ip will do nothing... if you have a router or your isp has one get them to ban all packets comming from the attacking.... my question is who have you ........ed off... DOS attack are usually not random

  3. #3
    Registered User mfc2themax's Avatar
    Join Date
    Aug 2001
    Posts
    347
    Take your server offline.
    mfc2themax-Creator of all that is.

  4. #4
    the hat of redundancy hat nvoigt's Avatar
    Join Date
    Aug 2001
    Location
    Hannover, Germany
    Posts
    3,130
    Report the IP and time and logfiles to your and his ISP immediatly.
    If it's a lame script kiddie, he will get toasted by his parents who probably pay his online fees. If he was any good, he used a slave to do his work, but at least, this one slave is down then and he has to use another one.

    Take action. Report it. Let the ISP sort it out.
    hth
    -nv

    She was so Blonde, she spent 20 minutes looking at the orange juice can because it said "Concentrate."

    When in doubt, read the FAQ.
    Then ask a smart question.

  5. #5
    Ecologist
    Join Date
    Aug 2001
    Location
    Utah.
    Posts
    1,291
    So, uh. What's a "slave computer..."

    Sorry, I'm don't know a lot of tech-lingo
    Staying away from General.

  6. #6
    Registered User Generator's Avatar
    Join Date
    Aug 2001
    Posts
    238
    >>What's a slave comp?

    I think it's a remote computer they can use to do their funky stuff, so what they do can't be traced to them
    What's a matter you no like peppi?

  7. #7
    the hat of redundancy hat nvoigt's Avatar
    Join Date
    Aug 2001
    Location
    Hannover, Germany
    Posts
    3,130
    A 'slave' is a computer that was compromised earlier.
    The hacker gained root access ( administrator priviledges )
    and can now do whatever he likes on this computer.
    It's like a computer on remote control of the hacker,
    most of the time without the normal user noticing.

    DoS attacks can be traced easily. So he most likely didn't
    use his own machine. The hacker attacked another machine,
    compromised it, and used this 'slave' to start a DoS attack.

    Slashing back at the source will probably only hit the
    slave and it's owner. But then, maybe the owner of the
    compromised first machine learns to protect his stuff in
    a way it can't be used to hurt others...
    hth
    -nv

    She was so Blonde, she spent 20 minutes looking at the orange juice can because it said "Concentrate."

    When in doubt, read the FAQ.
    Then ask a smart question.

  8. #8
    Registered User rick barclay's Avatar
    Join Date
    Aug 2001
    Posts
    835
    Below is a short excerpt from Hacking Exposed, Second Edition,
    by Joel Scambray, et, al. Buy the book.

    "While it is important to understand how to prevent your site from being used as an amplifier, it is even more important to understand what to do should your site come under attack. As mentioned in previous chapters, you should limit ingress ICMP and UDP traffic at your border routers to only necessary systems on your network and to only specific ICMP types. Of course, this does not prevent the Smurf and Fraggle attack from consuming your bandwidth. It is advisable to work with your isp to limit as much ICMP traffic as far upstream as possible. To augment these
    countermeasures, some organizations have enabled the Committed Access Rate (CAR) functionality provided by CISCO IOS 1.1CC, 11.1CC, and 12.0. This allows ICMP traffic to be limited to some reasonable number like 256k or 512k.
    "Should your site come under attack, you should first contact the Network Operations Center (NOC) of your isp. Keep in mind it is very difficult to trace the attack to the perpetrator, but it is possible. You or your isp will have to work closely with the amplifying site, as they are the recipient of the spoofed packets. Remember, if your site is under attack, the packets are legitamately coming from the amplifying site. The amplifying site is receiving spoofed packets that appear to be coming from your network.
    "By systematically reviewing each router starting with the amplifying site and working upstream, it is possible to trace the attack back to the attacking network. This is accomplished by determining the interface that the spoofed packet was received at and tracing backwards. To help automate this process, the security team at MCI developed a Perl script called dostracker that can log into a Cisco router and begin to trace a spoofed attack back to its source. Unfortunately, this program may be of limited value if you don't own or have access to all the routers involved.
    "We also recommend reviewing RFC 2267, 'Network Ingress Filtering: Defeating Denial of Service Attacks Which Employ IP Source Address Spoofing,' by Paul Ferguson of Cisco Systems and Daniel Senie of Blazenet, Inc."

    That is just a short excerpt regarding DOS attacks in this 660-page tome. Hacking Exposed is a world-wide best-seller and has
    gained classic status in the networking security community. It is
    one extremely interesting book to read.

    rick barclay
    No. Wait. Don't hang up!

    This is America calling!

  9. #9
    &TH of undefined behavior Fordy's Avatar
    Join Date
    Aug 2001
    Posts
    5,793
    >>Hacking Exposed, Second Edition,


    Damn....I ordered the 3rd ED in early Sept.....thought it would be worth the worth the wait....The book has was officially released (see the authours web site and Osbourne's site) a while back, but it is still unavailiable.


    I'm starting to wonder if some kind of hold has been placed on the release, but I have'nt heard anything........I've mailed amazon but they put it down to an error with thier suppliers, but does this go for every book site in europe as they have the same problem?


    Any idea's as to why this is would be greatly appreciated....

  10. #10
    Registered User rick barclay's Avatar
    Join Date
    Aug 2001
    Posts
    835
    barnesandnoble.com is selling the third ed. for $40. No word
    over there about delays.

    rick barclay
    No. Wait. Don't hang up!

    This is America calling!

  11. #11
    &TH of undefined behavior Fordy's Avatar
    Join Date
    Aug 2001
    Posts
    5,793
    >>barnesandnoble.com is selling the third ed. for $40

    I kind of want to order it through europe if I can.

    >>No word over there about delays.

    Hmm...just have to be patient I guess

  12. #12
    Banned Troll_King's Avatar
    Join Date
    Oct 2001
    Posts
    1,784
    Hacking Exposed Windows 2000:: Network Security Secrets and Solutions

    Came out in September. That and another one of his (Scambray). I go through

    www.indigo.ca

  13. #13
    &TH of undefined behavior Fordy's Avatar
    Join Date
    Aug 2001
    Posts
    5,793
    Yeah... the Win2k and linux versions are available, but I want to get the 3rd ed of hacking exposed as it details linux, unix, win95, win NT, novell and win2k (I think so anyway)........

    I don’t naively hope to become a cracker from this book, but security does interest me, and so I thought this would be a good start.......

    Hell might even do a review for GC's board when I've finished it (If he is still doing that?)

  14. #14
    Mayor of Awesometown Govtcheez's Avatar
    Join Date
    Aug 2001
    Location
    MI
    Posts
    8,823
    > Hell might even do a review for GC's board when I've finished it (If he is still doing that?)

    Absolutely - I've been trying to find time to get my new site up on the new domain, but haven't had time to redesign it like I want to. I've got 2 reviews in stasis right now ([stealth]'s review of the POTA book, and SoccerMom's review of NHL2K2) that'll be up as soon as I do it. Also waiting for a couple other reviews from people (you know who you are...)

  15. #15
    Registered User
    Join Date
    Aug 2001
    Posts
    58

    well what do you know...

    well, turns out (after reviewing the logs) that people just want to come to my site. I guess about 3000 people would shut down a server pretty quickly eh? www.NuclearWasteSite.com if u wanna check it out, also i get about 60% of the hits from the ftp site thats running also 204.210.234.55 ok i know its lame to say this but please dont hack it, i dont feel like spending a day restoring my files because a milicious hacker destroyed my stuff. If you do hack it, be a white hat and send me the patch.
    --== www.NuclearWasteSite.com==--

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. File systems?? (Winxp -> DOS)
    By Shadow in forum Tech Board
    Replies: 4
    Last Post: 01-06-2003, 09:08 PM
  2. structure vs class
    By sana in forum C++ Programming
    Replies: 13
    Last Post: 12-02-2002, 07:18 AM
  3. real mode dos & win dos
    By scott27349 in forum A Brief History of Cprogramming.com
    Replies: 26
    Last Post: 08-19-2002, 06:15 AM
  4. DOS program versus DOS console program
    By scromer in forum A Brief History of Cprogramming.com
    Replies: 4
    Last Post: 01-10-2002, 01:42 PM
  5. Shut off DOS screen automatically to Windows
    By Unregistered in forum A Brief History of Cprogramming.com
    Replies: 2
    Last Post: 11-08-2001, 07:14 PM