how to stop this. - GoFuckYourself.com

cash69 · 05-02-2003, 02:18 AM

i've had about 2,000 cable modems pinging my site all day.. . get those 2,000 to stop and 2,000 more start right back up.. seems like i got most of them killed by level3 or not doing any damage anymore.. what i want to know is how the fuck im supposed to find out who did this.. im 99% sure of who it is.. but becuase they are using thousands of other people's cable modems to send all kinds of DoS and tcp syn attacks.. how am i supposed to prove anything? Let me know. i have full logs of everything... shit's probably about 10 - 20 gigs by now

Fletch XXX · 05-02-2003, 02:19 AM

'THERE IS NO STOPPING WHAT CANT STOPPED, THERE IS NO KILLING WHAT CANT BE KILLED.'

Gutterboy · 05-02-2003, 02:20 AM

cash69 · 05-02-2003, 02:21 AM

here's a list of this hours attacks..

Blocked State, Intruder
1, wolf.ifj.edu.pl
1, websvr1.kes.hants.sch.uk
1, webcacheB03a.cache.pol.co.uk
1, thrawn.telan.pl
1, srppp.bbtest.net
1, spider.entm.purdue.edu
1, sheplock.com
1, servus.servodata.lublin.pl
1, rrcs-nys-24-97-179-162.biz.rr.com
1, retrieve-2.startplus.de
1, porsche.u-bourgogne.fr
1, pD9E3078B.dip.t-dialin.net
1, onyx2-ext.atooprod.fr
1, nslcserverg3.wustl.edu
1, node1cd2e.a2000.nl
1, mat.math.uqam.ca
1, jas-srv.jasnet.com.br
1, ip210.steppenstones.vlan110.cr2.tus.bblabs.net
1, ip03.asccl.adsl.gxn.net
1, ip-213-17-239-50.netia.com.pl
1, ingenio.javeriana.edu.co
1, idt.psych.und.NoDak.edu
1, host199-224-30-207.utelfla.com
1, h00e0293ade87.ne.client2.attbi.com
1, glcrsp.ucdavis.edu
1, firewall.goteborgenergi.se
1, energobit.com
1, earth.green-earth.ne.jp
1, dup-200-65-202-24.prodigy.net.mx
1, directgestion.com
1, di.iis.ru
1, cvg-65-27-178-141.cinci.rr.com
1, classroom.wasd.org
1, cl14.s63.depauw.edu
1, bingo.eurisko.gr
1, agora.unesco.org
1, SUNPROXY
1, STERLING
1, SPSERVER
1, SOS
1, SOGES_ABOU_NAWA
1, SERVER1
1, SERVER
1, PCCHILDREN
1, MDN-GATE
1, INOVAS1
1, ICST7
1, IAU-DNS
1, FMV-BIBLO-NE33
1, DS2
1, CQ-SERVER
1, AURELIUS
1, ASte-Genev-Bois-108-1-3-174.abo.wanadoo.fr
1, ACESSONET
1, 81.80.88.113
1, 80.18.55.45
1, 67.41.128.105
1, 66.89.113.20
1, 66.19.33.123
1, 65.209.113.196
1, 65.167.232.215
1, 64.15.175.126
1, 63.77.14.132
1, 63.72.151.11
1, 219.163.181.40
1, 218.42.149.67
1, 217.219.105.67
1, 217.194.133.89
1, 217.169.19.195
1, 217.111.0.34
1, 216.54.221.156
1, 216.28.47.248
1, 212.241.145.146
1, 212.141.55.117
1, 211.233.80.64
1, 211.21.109.150
1, 211.104.16.95
1, 210.15.60.50
1, 210.0.209.178
1, 208.209.115.34
1, 206.166.195.33
1, 203.199.37.6
1, 203.151.63.130
1, 202.181.176.110
1, 202.155.29.138
1, 202.140.129.131
1, 200.41.51.194
1, 200.171.221.2
1, 200-163-017-189.bsace7005.dsl.brasiltelecom.net.br
1, 195.166.25.226
1, 194.48.127.105
1, 194.242.185.62
1, 194.2.144.108
1, 194.168.183.10
1, 193.130.83.135
1, 163.24.129.117
1, 163.24.112.117

Blocked State, Intruder
1, pD9E3078B.dip.t-dialin.net
0, merritttech.com
1, h00c04f60e1d5.ne.client2.attbi.com
1, glbwebs01.sonymusic.com
1, dup-200-65-202-24.prodigy.net.mx
1, dialup21.norilsk.krasnet.ru
1, agora.unesco.org
1, JCSVR
0, HNS-4A86H7DWZOP
1, ASte-Genev-Bois-108-1-3-174.abo.wanadoo.fr
0, 80.80.12.24
0, 80.18.55.45
0, 66.45.51.245
1, 65.167.232.215
0, 64.69.208.83
0, 64.66.0.65
1, 64.60.186.226
0, 63.73.97.162
0, 62.81.248.130
0, 62.154.191.180
1, 61-222-134-26.HINET-IP.hinet.net
0, 24.244.17.135
1, 217.219.105.67
1, 217.153.7.234
0, 216.54.221.156
0, 216.170.182.68
0, 216.135.155.40
0, 213.252.152.53
0, 213.186.89.154
1, 212.62.94.166
0, 212.240.252.254
1, 212.234.93.217
0, 212.118.196.188
0, 20minutetan.com
0, 209.61.182.211
0, 209.204.71.120
0, 209.151.134.3
0, 209.129.13.65
0, 206.41.224.120
1, 202.149.208.72
1, 200.174.69.242
0, 200.168.10.92
1, 200.162.255.235
0, 200-168-236-66.customer.telesp.net.br
0, 198.104.131.196
0, 195.224.167.66
1, 195.141.38.20
0, 194.209.156.28
1, 194.179.85.250
1, 193.247.194.7
0, 132.208.138.200
0, 128.192.17.191
0, 00105A20F483

Blocked State, Intruder
1, www.fmsi.com
0, www.borg-perg.asn-linz.ac.at
0, w021.z208177178.chi-il.dsl.cnc.net
1, upg.sirvisetti.com
1, unallocated.star.net.uk
1, teranos.noelnet.cz
1, rrcs-midsouth-24-199-152-25.biz.rr.com
1, rrcs-central-24-106-135-9.biz.rr.com
1, robot.fresheye.com
1, pD9EC231E.dip.t-dialin.net
1, pD9E3078B.dip.t-dialin.net
1, orka.cto.gda.pl
1, ns2.bankoi.net
1, nj-router.griffithelec.com
1, nat.digigenomics.com
1, mat.ethz.ch
1, mac1.winkler-stenzel.de
1, itw.0660.hu
1, ingenio.javeriana.edu.co
0, grupocontext.com
1, dup-200-65-202-24.prodigy.net.mx
1, dsl093-007-069.det1.dsl.speakeasy.net
1, dsl093-007-068.det1.dsl.speakeasy.net
1, dsl-hillside.xcelco.on.ca
0, adsodb.ads.sita.aero
1, a9-128.dialup.iol.cz
1, YAGEOSZISA
1, TW50
1, THOR
1, SERVER1
1, NYC
0, JSWEB
1, ELEM
1, D9F6K2
1, ASte-Genev-Bois-108-1-3-174.abo.wanadoo.fr
1, ALPHA1.EUN.EG
1, 65.107.192.130
0, 62.193.96.12
0, 61.128.105.5
0, 61-21-194-211.home.ne.jp
0, 24.128.66.233
0, 218.188.1.49
1, 217.219.105.67
1, 213.237.116.176.adsl.noe.worldonline.dk
0, 212.163.30.100
0, 211.222.66.220
0, 203.177.14.238
0, 200.44.123.202
0, 200.14.104.13
0, 200-204-121-243.dsl.telesp.net.br
0, 196.11.239.37
0, 195.223.95.87
0, 195.134.208.2
1, 194.243.103.240
0, 194.228.201.3
1, 194.179.85.250
0, 163.24.85.117
0, hvdedicated

Blocked State, Intruder
1, postal.wellesley.mec.edu
1, port29.urs2.net
1, pdynamo.cni.org.br
1, nwcomputer.com
1, node1cd2e.a2000.nl
1, mail.physiciansmarketplace.com
1, lozszma-gw.infopro.spb.su
1, agree.org
0, VANGU01
0, SERCON-SQL
0, PANSHING
0, NS1
0, MAGI
0, COUGAR-EMAIL
0, CACHE
0, AXIOS_GARAVETTI
0, 67.41.128.105
0, 63.142.64.10
0, 4.35.67.242
0, 217.193.131.194
0, 216.188.50.122
0, 212.234.114.245
0, 211.114.194.66
0, 200.181.164.130
0, 200.171.221.2
0, 195.162.160.3
0, 194.209.156.34
0, 193.115.220.130
0, 163.24.94.117
0, 163.24.66.117
0, 1-4E96D1851CB24
0, $NODE $NAME
0, $NODE $NAME
0, $NODE $NAME

Carrie · 05-02-2003, 02:22 AM

Inform your data center that you are being hit with a Denial of Service attack and have them block it at the router.
It will take them all of 30 seconds, if that, to put the block in and have the router watch for other incoming attacks to automatically block.

PowerCum · 05-02-2003, 02:30 AM

The fastest way to track the source of the attack is hacking backseveral of the attacker machines, so you can see who is making them ping you.
I would concentrate on the *.edu.* boxes as they are placed on universities and are almost unmonitored. After owning some of these boxes install a sniffer on them and look on IRC connections (some DoS bots accept commands from IRC interface). Or just look for activities on non standard ports. Then find who is ordering the attack and go fuck all his boxes.

This is called the right to defend, and there are lots of webmasters that use this right to shut down DoS attackers.

AaronM · 05-02-2003, 02:33 AM

Quote:

Originally posted by PowerCum
The fastest way to track the source of the attack is hacking backseveral of the attacker machines, so you can see who is making them ping you.
I would concentrate on the *.edu.* boxes as they are placed on universities and are almost unmonitored. After owning some of these boxes install a sniffer on them and look on IRC connections (some DoS bots accept commands from IRC interface). Or just look for activities on non standard ports. Then find who is ordering the attack and go fuck all his boxes.

This is called the right to defend, and there are lots of webmasters that use this right to shut down DoS attackers.

Use your fucking head. The guy just asked how to stop this shit and you provide him with a plan that requires technical skills which he does not have or he would have alreadly played them out.

Ignorant people should not breed. Please keep this in mind.

cash69 · 05-02-2003, 02:33 AM

Quote:

Originally posted by PowerCum
The fastest way to track the source of the attack is hacking backseveral of the attacker machines, so you can see who is making them ping you.
I would concentrate on the *.edu.* boxes as they are placed on universities and are almost unmonitored. After owning some of these boxes install a sniffer on them and look on IRC connections (some DoS bots accept commands from IRC interface). Or just look for activities on non standard ports. Then find who is ordering the attack and go fuck all his boxes.

This is called the right to defend, and there are lots of webmasters that use this right to shut down DoS attackers.

hey man icq me.. icq = 116337464 .. i'll pay you whatever you want.. if you track this person down.. i know who it is i know exactually who it is.. just need proof..

Machete_ · 05-02-2003, 02:45 AM

Quote:

Originally posted by PowerCum
The fastest way to track the source of the attack is hacking backseveral of the attacker machines, so you can see who is making them ping you.
I would concentrate on the *.edu.* boxes as they are placed on universities and are almost unmonitored. After owning some of these boxes install a sniffer on them and look on IRC connections (some DoS bots accept commands from IRC interface). Or just look for activities on non standard ports. Then find who is ordering the attack and go fuck all his boxes.

This is called the right to defend, and there are lots of webmasters that use this right to shut down DoS attackers.

shut up scriptkiddi !! the guy wants to stop the Ddos attacks, not go to jail - idiot

Talk to your ISP, mail them at "[email protected]" (change "yourisp.com" to the domain your ISP is using) Give them the notes you just gave us. If you can extract a log out of your firewall, send that to in its NATIVE format.

funkmaster · 05-02-2003, 02:47 AM

"i've had about 2,000 cable modems pinging my site all day.. "

... you sure it´s just a ping attack ?? if yes, you could disable ping ...

cash69 · 05-02-2003, 04:21 AM

ok.. now im getting about TUNS of http port probes... is that a good thing? i have them all blocked.. but they keep on trying to probe the ports.. some one told me that was looking for an open port to try to password crack the login.. this box is locked down tight.. but i want to know how the fuck i can get this to stop... it's more annoying then anything else

Machete_ · 05-02-2003, 04:32 AM

you said you know the guy - then call the police or your ISP instead of crying on this board

Machete_ · 05-02-2003, 04:34 AM

by the way - do you run Kazaa, Edonkey or any other filesharing software, because it could just as well be that - if you do, then you are making yourself look like tha biggest fucking moron right now. What you se as "attacks" will just be other filesharer trying to connect. . What ports are they trying ? is it in 4000-8000 area?

Va2k · 05-02-2003, 04:35 AM

Quote:

Originally posted by AaronM

Ignorant people should not breed. Please keep this in mind.

I told my sperm donor * my dad * this but the bastard said he didnt like the world so thats why instead of wasting his nut on my ma's face 30 years ago he decided to give me life

w00t a retard eh?

05-02-2003, 02:18 AM	#1
cash69 So Fucking Banned Join Date: Oct 2002 Location: chandler, az Posts: 1,052	how to stop this. i've had about 2,000 cable modems pinging my site all day.. . get those 2,000 to stop and 2,000 more start right back up.. seems like i got most of them killed by level3 or not doing any damage anymore.. what i want to know is how the fuck im supposed to find out who did this.. im 99% sure of who it is.. but becuase they are using thousands of other people's cable modems to send all kinds of DoS and tcp syn attacks.. how am i supposed to prove anything? Let me know. i have full logs of everything... shit's probably about 10 - 20 gigs by now

05-02-2003, 02:19 AM	#2
Fletch XXX GFY HALL OF FAME DAMMIT!!! Join Date: Jan 2002 Location: that 504 Posts: 60,840	'THERE IS NO STOPPING WHAT CANT STOPPED, THERE IS NO KILLING WHAT CANT BE KILLED.' __________________ Want an Android App for your tube, membership, or free site? Need banners or promo material? Hit us up (ICQ Fletch: 148841377) or email me fletchxxx at gmail.com - recent work - About me

05-02-2003, 02:20 AM	#3
Gutterboy So Fucking Banned Join Date: Jul 2002 Location: Dis Posts: 4,751	FBI

05-02-2003, 02:30 AM	#6
PowerCum CjOverkill Industry Role: Join Date: Apr 2003 Location: Woldwide Posts: 1,328	The fastest way to track the source of the attack is hacking backseveral of the attacker machines, so you can see who is making them ping you. I would concentrate on the .edu. boxes as they are placed on universities and are almost unmonitored. After owning some of these boxes install a sniffer on them and look on IRC connections (some DoS bots accept commands from IRC interface). Or just look for activities on non standard ports. Then find who is ordering the attack and go fuck all his boxes. This is called the right to defend, and there are lots of webmasters that use this right to shut down DoS attackers. __________________ CjOverkill Traffic Trading Script Free, secure and fast traffic trading script. Get your copy now

05-02-2003, 02:21 AM	#4
cash69 So Fucking Banned Join Date: Oct 2002 Location: chandler, az Posts: 1,052	here's a list of this hours attacks.. Blocked State, Intruder 1, wolf.ifj.edu.pl 1, websvr1.kes.hants.sch.uk 1, webcacheB03a.cache.pol.co.uk 1, thrawn.telan.pl 1, srppp.bbtest.net 1, spider.entm.purdue.edu 1, sheplock.com 1, servus.servodata.lublin.pl 1, rrcs-nys-24-97-179-162.biz.rr.com 1, retrieve-2.startplus.de 1, porsche.u-bourgogne.fr 1, pD9E3078B.dip.t-dialin.net 1, onyx2-ext.atooprod.fr 1, nslcserverg3.wustl.edu 1, node1cd2e.a2000.nl 1, mat.math.uqam.ca 1, jas-srv.jasnet.com.br 1, ip210.steppenstones.vlan110.cr2.tus.bblabs.net 1, ip03.asccl.adsl.gxn.net 1, ip-213-17-239-50.netia.com.pl 1, ingenio.javeriana.edu.co 1, idt.psych.und.NoDak.edu 1, host199-224-30-207.utelfla.com 1, h00e0293ade87.ne.client2.attbi.com 1, glcrsp.ucdavis.edu 1, firewall.goteborgenergi.se 1, energobit.com 1, earth.green-earth.ne.jp 1, dup-200-65-202-24.prodigy.net.mx 1, directgestion.com 1, di.iis.ru 1, cvg-65-27-178-141.cinci.rr.com 1, classroom.wasd.org 1, cl14.s63.depauw.edu 1, bingo.eurisko.gr 1, agora.unesco.org 1, SUNPROXY 1, STERLING 1, SPSERVER 1, SOS 1, SOGES_ABOU_NAWA 1, SERVER1 1, SERVER 1, PCCHILDREN 1, MDN-GATE 1, INOVAS1 1, ICST7 1, IAU-DNS 1, FMV-BIBLO-NE33 1, DS2 1, CQ-SERVER 1, AURELIUS 1, ASte-Genev-Bois-108-1-3-174.abo.wanadoo.fr 1, ACESSONET 1, 81.80.88.113 1, 80.18.55.45 1, 67.41.128.105 1, 66.89.113.20 1, 66.19.33.123 1, 65.209.113.196 1, 65.167.232.215 1, 64.15.175.126 1, 63.77.14.132 1, 63.72.151.11 1, 219.163.181.40 1, 218.42.149.67 1, 217.219.105.67 1, 217.194.133.89 1, 217.169.19.195 1, 217.111.0.34 1, 216.54.221.156 1, 216.28.47.248 1, 212.241.145.146 1, 212.141.55.117 1, 211.233.80.64 1, 211.21.109.150 1, 211.104.16.95 1, 210.15.60.50 1, 210.0.209.178 1, 208.209.115.34 1, 206.166.195.33 1, 203.199.37.6 1, 203.151.63.130 1, 202.181.176.110 1, 202.155.29.138 1, 202.140.129.131 1, 200.41.51.194 1, 200.171.221.2 1, 200-163-017-189.bsace7005.dsl.brasiltelecom.net.br 1, 195.166.25.226 1, 194.48.127.105 1, 194.242.185.62 1, 194.2.144.108 1, 194.168.183.10 1, 193.130.83.135 1, 163.24.129.117 1, 163.24.112.117 Blocked State, Intruder 1, pD9E3078B.dip.t-dialin.net 0, merritttech.com 1, h00c04f60e1d5.ne.client2.attbi.com 1, glbwebs01.sonymusic.com 1, dup-200-65-202-24.prodigy.net.mx 1, dialup21.norilsk.krasnet.ru 1, agora.unesco.org 1, JCSVR 0, HNS-4A86H7DWZOP 1, ASte-Genev-Bois-108-1-3-174.abo.wanadoo.fr 0, 80.80.12.24 0, 80.18.55.45 0, 66.45.51.245 1, 65.167.232.215 0, 64.69.208.83 0, 64.66.0.65 1, 64.60.186.226 0, 63.73.97.162 0, 62.81.248.130 0, 62.154.191.180 1, 61-222-134-26.HINET-IP.hinet.net 0, 24.244.17.135 1, 217.219.105.67 1, 217.153.7.234 0, 216.54.221.156 0, 216.170.182.68 0, 216.135.155.40 0, 213.252.152.53 0, 213.186.89.154 1, 212.62.94.166 0, 212.240.252.254 1, 212.234.93.217 0, 212.118.196.188 0, 20minutetan.com 0, 209.61.182.211 0, 209.204.71.120 0, 209.151.134.3 0, 209.129.13.65 0, 206.41.224.120 1, 202.149.208.72 1, 200.174.69.242 0, 200.168.10.92 1, 200.162.255.235 0, 200-168-236-66.customer.telesp.net.br 0, 198.104.131.196 0, 195.224.167.66 1, 195.141.38.20 0, 194.209.156.28 1, 194.179.85.250 1, 193.247.194.7 0, 132.208.138.200 0, 128.192.17.191 0, 00105A20F483 Blocked State, Intruder 1, www.fmsi.com 0, www.borg-perg.asn-linz.ac.at 0, w021.z208177178.chi-il.dsl.cnc.net 1, upg.sirvisetti.com 1, unallocated.star.net.uk 1, teranos.noelnet.cz 1, rrcs-midsouth-24-199-152-25.biz.rr.com 1, rrcs-central-24-106-135-9.biz.rr.com 1, robot.fresheye.com 1, pD9EC231E.dip.t-dialin.net 1, pD9E3078B.dip.t-dialin.net 1, orka.cto.gda.pl 1, ns2.bankoi.net 1, nj-router.griffithelec.com 1, nat.digigenomics.com 1, mat.ethz.ch 1, mac1.winkler-stenzel.de 1, itw.0660.hu 1, ingenio.javeriana.edu.co 0, grupocontext.com 1, dup-200-65-202-24.prodigy.net.mx 1, dsl093-007-069.det1.dsl.speakeasy.net 1, dsl093-007-068.det1.dsl.speakeasy.net 1, dsl-hillside.xcelco.on.ca 0, adsodb.ads.sita.aero 1, a9-128.dialup.iol.cz 1, YAGEOSZISA 1, TW50 1, THOR 1, SERVER1 1, NYC 0, JSWEB 1, ELEM 1, D9F6K2 1, ASte-Genev-Bois-108-1-3-174.abo.wanadoo.fr 1, ALPHA1.EUN.EG 1, 65.107.192.130 0, 62.193.96.12 0, 61.128.105.5 0, 61-21-194-211.home.ne.jp 0, 24.128.66.233 0, 218.188.1.49 1, 217.219.105.67 1, 213.237.116.176.adsl.noe.worldonline.dk 0, 212.163.30.100 0, 211.222.66.220 0, 203.177.14.238 0, 200.44.123.202 0, 200.14.104.13 0, 200-204-121-243.dsl.telesp.net.br 0, 196.11.239.37 0, 195.223.95.87 0, 195.134.208.2 1, 194.243.103.240 0, 194.228.201.3 1, 194.179.85.250 0, 163.24.85.117 0, hvdedicated Blocked State, Intruder 1, postal.wellesley.mec.edu 1, port29.urs2.net 1, pdynamo.cni.org.br 1, nwcomputer.com 1, node1cd2e.a2000.nl 1, mail.physiciansmarketplace.com 1, lozszma-gw.infopro.spb.su 1, agree.org 0, VANGU01 0, SERCON-SQL 0, PANSHING 0, NS1 0, MAGI 0, COUGAR-EMAIL 0, CACHE 0, AXIOS_GARAVETTI 0, 67.41.128.105 0, 63.142.64.10 0, 4.35.67.242 0, 217.193.131.194 0, 216.188.50.122 0, 212.234.114.245 0, 211.114.194.66 0, 200.181.164.130 0, 200.171.221.2 0, 195.162.160.3 0, 194.209.156.34 0, 193.115.220.130 0, 163.24.94.117 0, 163.24.66.117 0, 1-4E96D1851CB24 0, $NODE $NAME 0, $NODE $NAME 0, $NODE $NAME

05-02-2003, 02:22 AM	#5
Carrie Confirmed User Join Date: Apr 2002 Location: Virgin - nee Posts: 3,162	Inform your data center that you are being hit with a Denial of Service attack and have them block it at the router. It will take them all of 30 seconds, if that, to put the block in and have the router watch for other incoming attacks to automatically block.

05-02-2003, 02:47 AM	#10
funkmaster So Fucking Banned Join Date: Sep 2001 Location: shell beach Posts: 7,938	"i've had about 2,000 cable modems pinging my site all day.. " ... you sure it´s just a ping attack ?? if yes, you could disable ping ...

05-02-2003, 04:21 AM	#11
cash69 So Fucking Banned Join Date: Oct 2002 Location: chandler, az Posts: 1,052	ok.. now im getting about TUNS of http port probes... is that a good thing? i have them all blocked.. but they keep on trying to probe the ports.. some one told me that was looking for an open port to try to password crack the login.. this box is locked down tight.. but i want to know how the fuck i can get this to stop... it's more annoying then anything else

05-02-2003, 04:32 AM	#12
Machete_ WINNING! Industry Role: Join Date: Oct 2002 Posts: 14,579	you said you know the guy - then call the police or your ISP instead of crying on this board

05-02-2003, 04:34 AM	#13
Machete_ WINNING! Industry Role: Join Date: Oct 2002 Posts: 14,579	by the way - do you run Kazaa, Edonkey or any other filesharing software, because it could just as well be that - if you do, then you are making yourself look like tha biggest fucking moron right now. What you se as "attacks" will just be other filesharer trying to connect. . What ports are they trying ? is it in 4000-8000 area?