|
how to stop this.
i've had about 2,000 cable modems pinging my site all day.. . get those 2,000 to stop and 2,000 more start right back up.. seems like i got most of them killed by level3 or not doing any damage anymore.. what i want to know is how the fuck im supposed to find out who did this.. im 99% sure of who it is.. but becuase they are using thousands of other people's cable modems to send all kinds of DoS and tcp syn attacks.. how am i supposed to prove anything? Let me know. i have full logs of everything... shit's probably about 10 - 20 gigs by now
|
'THERE IS NO STOPPING WHAT CANT STOPPED, THERE IS NO KILLING WHAT CANT BE KILLED.'
|
FBI
|
here's a list of this hours attacks..
Blocked State, Intruder 1, wolf.ifj.edu.pl 1, websvr1.kes.hants.sch.uk 1, webcacheB03a.cache.pol.co.uk 1, thrawn.telan.pl 1, srppp.bbtest.net 1, spider.entm.purdue.edu 1, sheplock.com 1, servus.servodata.lublin.pl 1, rrcs-nys-24-97-179-162.biz.rr.com 1, retrieve-2.startplus.de 1, porsche.u-bourgogne.fr 1, pD9E3078B.dip.t-dialin.net 1, onyx2-ext.atooprod.fr 1, nslcserverg3.wustl.edu 1, node1cd2e.a2000.nl 1, mat.math.uqam.ca 1, jas-srv.jasnet.com.br 1, ip210.steppenstones.vlan110.cr2.tus.bblabs.net 1, ip03.asccl.adsl.gxn.net 1, ip-213-17-239-50.netia.com.pl 1, ingenio.javeriana.edu.co 1, idt.psych.und.NoDak.edu 1, host199-224-30-207.utelfla.com 1, h00e0293ade87.ne.client2.attbi.com 1, glcrsp.ucdavis.edu 1, firewall.goteborgenergi.se 1, energobit.com 1, earth.green-earth.ne.jp 1, dup-200-65-202-24.prodigy.net.mx 1, directgestion.com 1, di.iis.ru 1, cvg-65-27-178-141.cinci.rr.com 1, classroom.wasd.org 1, cl14.s63.depauw.edu 1, bingo.eurisko.gr 1, agora.unesco.org 1, SUNPROXY 1, STERLING 1, SPSERVER 1, SOS 1, SOGES_ABOU_NAWA 1, SERVER1 1, SERVER 1, PCCHILDREN 1, MDN-GATE 1, INOVAS1 1, ICST7 1, IAU-DNS 1, FMV-BIBLO-NE33 1, DS2 1, CQ-SERVER 1, AURELIUS 1, ASte-Genev-Bois-108-1-3-174.abo.wanadoo.fr 1, ACESSONET 1, 81.80.88.113 1, 80.18.55.45 1, 67.41.128.105 1, 66.89.113.20 1, 66.19.33.123 1, 65.209.113.196 1, 65.167.232.215 1, 64.15.175.126 1, 63.77.14.132 1, 63.72.151.11 1, 219.163.181.40 1, 218.42.149.67 1, 217.219.105.67 1, 217.194.133.89 1, 217.169.19.195 1, 217.111.0.34 1, 216.54.221.156 1, 216.28.47.248 1, 212.241.145.146 1, 212.141.55.117 1, 211.233.80.64 1, 211.21.109.150 1, 211.104.16.95 1, 210.15.60.50 1, 210.0.209.178 1, 208.209.115.34 1, 206.166.195.33 1, 203.199.37.6 1, 203.151.63.130 1, 202.181.176.110 1, 202.155.29.138 1, 202.140.129.131 1, 200.41.51.194 1, 200.171.221.2 1, 200-163-017-189.bsace7005.dsl.brasiltelecom.net.br 1, 195.166.25.226 1, 194.48.127.105 1, 194.242.185.62 1, 194.2.144.108 1, 194.168.183.10 1, 193.130.83.135 1, 163.24.129.117 1, 163.24.112.117 Blocked State, Intruder 1, pD9E3078B.dip.t-dialin.net 0, merritttech.com 1, h00c04f60e1d5.ne.client2.attbi.com 1, glbwebs01.sonymusic.com 1, dup-200-65-202-24.prodigy.net.mx 1, dialup21.norilsk.krasnet.ru 1, agora.unesco.org 1, JCSVR 0, HNS-4A86H7DWZOP 1, ASte-Genev-Bois-108-1-3-174.abo.wanadoo.fr 0, 80.80.12.24 0, 80.18.55.45 0, 66.45.51.245 1, 65.167.232.215 0, 64.69.208.83 0, 64.66.0.65 1, 64.60.186.226 0, 63.73.97.162 0, 62.81.248.130 0, 62.154.191.180 1, 61-222-134-26.HINET-IP.hinet.net 0, 24.244.17.135 1, 217.219.105.67 1, 217.153.7.234 0, 216.54.221.156 0, 216.170.182.68 0, 216.135.155.40 0, 213.252.152.53 0, 213.186.89.154 1, 212.62.94.166 0, 212.240.252.254 1, 212.234.93.217 0, 212.118.196.188 0, 20minutetan.com 0, 209.61.182.211 0, 209.204.71.120 0, 209.151.134.3 0, 209.129.13.65 0, 206.41.224.120 1, 202.149.208.72 1, 200.174.69.242 0, 200.168.10.92 1, 200.162.255.235 0, 200-168-236-66.customer.telesp.net.br 0, 198.104.131.196 0, 195.224.167.66 1, 195.141.38.20 0, 194.209.156.28 1, 194.179.85.250 1, 193.247.194.7 0, 132.208.138.200 0, 128.192.17.191 0, 00105A20F483 Blocked State, Intruder 1, www.fmsi.com 0, www.borg-perg.asn-linz.ac.at 0, w021.z208177178.chi-il.dsl.cnc.net 1, upg.sirvisetti.com 1, unallocated.star.net.uk 1, teranos.noelnet.cz 1, rrcs-midsouth-24-199-152-25.biz.rr.com 1, rrcs-central-24-106-135-9.biz.rr.com 1, robot.fresheye.com 1, pD9EC231E.dip.t-dialin.net 1, pD9E3078B.dip.t-dialin.net 1, orka.cto.gda.pl 1, ns2.bankoi.net 1, nj-router.griffithelec.com 1, nat.digigenomics.com 1, mat.ethz.ch 1, mac1.winkler-stenzel.de 1, itw.0660.hu 1, ingenio.javeriana.edu.co 0, grupocontext.com 1, dup-200-65-202-24.prodigy.net.mx 1, dsl093-007-069.det1.dsl.speakeasy.net 1, dsl093-007-068.det1.dsl.speakeasy.net 1, dsl-hillside.xcelco.on.ca 0, adsodb.ads.sita.aero 1, a9-128.dialup.iol.cz 1, YAGEOSZISA 1, TW50 1, THOR 1, SERVER1 1, NYC 0, JSWEB 1, ELEM 1, D9F6K2 1, ASte-Genev-Bois-108-1-3-174.abo.wanadoo.fr 1, ALPHA1.EUN.EG 1, 65.107.192.130 0, 62.193.96.12 0, 61.128.105.5 0, 61-21-194-211.home.ne.jp 0, 24.128.66.233 0, 218.188.1.49 1, 217.219.105.67 1, 213.237.116.176.adsl.noe.worldonline.dk 0, 212.163.30.100 0, 211.222.66.220 0, 203.177.14.238 0, 200.44.123.202 0, 200.14.104.13 0, 200-204-121-243.dsl.telesp.net.br 0, 196.11.239.37 0, 195.223.95.87 0, 195.134.208.2 1, 194.243.103.240 0, 194.228.201.3 1, 194.179.85.250 0, 163.24.85.117 0, hvdedicated Blocked State, Intruder 1, postal.wellesley.mec.edu 1, port29.urs2.net 1, pdynamo.cni.org.br 1, nwcomputer.com 1, node1cd2e.a2000.nl 1, mail.physiciansmarketplace.com 1, lozszma-gw.infopro.spb.su 1, agree.org 0, VANGU01 0, SERCON-SQL 0, PANSHING 0, NS1 0, MAGI 0, COUGAR-EMAIL 0, CACHE 0, AXIOS_GARAVETTI 0, 67.41.128.105 0, 63.142.64.10 0, 4.35.67.242 0, 217.193.131.194 0, 216.188.50.122 0, 212.234.114.245 0, 211.114.194.66 0, 200.181.164.130 0, 200.171.221.2 0, 195.162.160.3 0, 194.209.156.34 0, 193.115.220.130 0, 163.24.94.117 0, 163.24.66.117 0, 1-4E96D1851CB24 0, $NODE $NAME 0, $NODE $NAME 0, $NODE $NAME |
Inform your data center that you are being hit with a Denial of Service attack and have them block it at the router.
It will take them all of 30 seconds, if that, to put the block in and have the router watch for other incoming attacks to automatically block. |
The fastest way to track the source of the attack is hacking backseveral of the attacker machines, so you can see who is making them ping you.
I would concentrate on the *.edu.* boxes as they are placed on universities and are almost unmonitored. After owning some of these boxes install a sniffer on them and look on IRC connections (some DoS bots accept commands from IRC interface). Or just look for activities on non standard ports. Then find who is ordering the attack and go fuck all his boxes. This is called the right to defend, and there are lots of webmasters that use this right to shut down DoS attackers. |
Quote:
Ignorant people should not breed. Please keep this in mind. |
Quote:
|
Quote:
Talk to your ISP, mail them at "[email protected]" (change "yourisp.com" to the domain your ISP is using) Give them the notes you just gave us. If you can extract a log out of your firewall, send that to in its NATIVE format. |
"i've had about 2,000 cable modems pinging my site all day.. "
... you sure itīs just a ping attack ?? if yes, you could disable ping ... |
ok.. now im getting about TUNS of http port probes... is that a good thing? i have them all blocked.. but they keep on trying to probe the ports.. some one told me that was looking for an open port to try to password crack the login.. this box is locked down tight.. but i want to know how the fuck i can get this to stop... it's more annoying then anything else
|
you said you know the guy - then call the police or your ISP instead of crying on this board
|
by the way - do you run Kazaa, Edonkey or any other filesharing software, because it could just as well be that - if you do, then you are making yourself look like tha biggest fucking moron right now. What you se as "attacks" will just be other filesharer trying to connect. . What ports are they trying ? is it in 4000-8000 area?
|
Quote:
w00t a retard eh? |
| All times are GMT -7. The time now is 10:03 PM. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc123