Gay DoS attack need help
aight, here's the deal, some dumbass "hacker" (as he prolly calls him self) flooded my server this evening. Is there a way to prevent this? some how to stop the 1,000,000 packets being sent to my computer? i'll post the little kid's IP address when i get a chance. He's prolly only 9.
well it depends... he might not be a little 9 year old especailly if he wrote his own DOS client and i he has any shrew of inteligence he will be using a slave computer so posting the ip will do nothing... if you have a router or your isp has one get them to ban all packets comming from the attacking.... my question is who have you ........ed off... DOS attack are usually not random
Take your server offline. :D
Report the IP and time and logfiles to your and his ISP immediatly.
If it's a lame script kiddie, he will get toasted by his parents who probably pay his online fees. If he was any good, he used a slave to do his work, but at least, this one slave is down then and he has to use another one.
Take action. Report it. Let the ISP sort it out.
So, uh. What's a "slave computer..."
Sorry, I'm don't know a lot of tech-lingo
>>What's a slave comp?
I think it's a remote computer they can use to do their funky stuff, so what they do can't be traced to them
A 'slave' is a computer that was compromised earlier.
The hacker gained root access ( administrator priviledges )
and can now do whatever he likes on this computer.
It's like a computer on remote control of the hacker,
most of the time without the normal user noticing.
DoS attacks can be traced easily. So he most likely didn't
use his own machine. The hacker attacked another machine,
compromised it, and used this 'slave' to start a DoS attack.
Slashing back at the source will probably only hit the
slave and it's owner. But then, maybe the owner of the
compromised first machine learns to protect his stuff in
a way it can't be used to hurt others...
Below is a short excerpt from Hacking Exposed, Second Edition,
by Joel Scambray, et, al. Buy the book.
"While it is important to understand how to prevent your site from being used as an amplifier, it is even more important to understand what to do should your site come under attack. As mentioned in previous chapters, you should limit ingress ICMP and UDP traffic at your border routers to only necessary systems on your network and to only specific ICMP types. Of course, this does not prevent the Smurf and Fraggle attack from consuming your bandwidth. It is advisable to work with your isp to limit as much ICMP traffic as far upstream as possible. To augment these
countermeasures, some organizations have enabled the Committed Access Rate (CAR) functionality provided by CISCO IOS 1.1CC, 11.1CC, and 12.0. This allows ICMP traffic to be limited to some reasonable number like 256k or 512k.
"Should your site come under attack, you should first contact the Network Operations Center (NOC) of your isp. Keep in mind it is very difficult to trace the attack to the perpetrator, but it is possible. You or your isp will have to work closely with the amplifying site, as they are the recipient of the spoofed packets. Remember, if your site is under attack, the packets are legitamately coming from the amplifying site. The amplifying site is receiving spoofed packets that appear to be coming from your network.
"By systematically reviewing each router starting with the amplifying site and working upstream, it is possible to trace the attack back to the attacking network. This is accomplished by determining the interface that the spoofed packet was received at and tracing backwards. To help automate this process, the security team at MCI developed a Perl script called dostracker that can log into a Cisco router and begin to trace a spoofed attack back to its source. Unfortunately, this program may be of limited value if you don't own or have access to all the routers involved.
"We also recommend reviewing RFC 2267, 'Network Ingress Filtering: Defeating Denial of Service Attacks Which Employ IP Source Address Spoofing,' by Paul Ferguson of Cisco Systems and Daniel Senie of Blazenet, Inc."
That is just a short excerpt regarding DOS attacks in this 660-page tome. Hacking Exposed is a world-wide best-seller and has
gained classic status in the networking security community. It is
one extremely interesting book to read.
>>Hacking Exposed, Second Edition,
Damn....I ordered the 3rd ED in early Sept.....thought it would be worth the worth the wait....The book has was officially released (see the authours web site and Osbourne's site) a while back, but it is still unavailiable.
I'm starting to wonder if some kind of hold has been placed on the release, but I have'nt heard anything........I've mailed amazon but they put it down to an error with thier suppliers, but does this go for every book site in europe as they have the same problem?
Any idea's as to why this is would be greatly appreciated....
barnesandnoble.com is selling the third ed. for $40. No word
over there about delays.
>>barnesandnoble.com is selling the third ed. for $40
I kind of want to order it through europe if I can.
>>No word over there about delays.
Hmm...just have to be patient I guess
Hacking Exposed Windows 2000:: Network Security Secrets and Solutions
Came out in September. That and another one of his (Scambray). I go through
Yeah... the Win2k and linux versions are available, but I want to get the 3rd ed of hacking exposed as it details linux, unix, win95, win NT, novell and win2k (I think so anyway)........
I donít naively hope to become a cracker from this book, but security does interest me, and so I thought this would be a good start.......
Hell might even do a review for GC's board when I've finished it :) (If he is still doing that?)
> Hell might even do a review for GC's board when I've finished it (If he is still doing that?)
Absolutely - I've been trying to find time to get my new site up on the new domain, but haven't had time to redesign it like I want to. I've got 2 reviews in stasis right now ([stealth]'s review of the POTA book, and SoccerMom's review of NHL2K2) that'll be up as soon as I do it. Also waiting for a couple other reviews from people (you know who you are...)
well what do you know...
well, turns out (after reviewing the logs) that people just want to come to my site. I guess about 3000 people would shut down a server pretty quickly eh? www.NuclearWasteSite.com if u wanna check it out, also i get about 60% of the hits from the ftp site thats running also 188.8.131.52 ok i know its lame to say this but please dont hack it, i dont feel like spending a day restoring my files because a milicious hacker destroyed my stuff. If you do hack it, be a white hat and send me the patch.