DDoS attack -- finding those responsible

[GeorgeK]

Greg mentioned that the board was slow yesterday due to an attack.

Perhaps by posting some of the forensic data (logs, etc.) the combined brainpower of this board can help track down the guilty people responsible for the attack?

We can probably short-list the number of "enemies" of DNForum, and logs might help root out who it was.

Although, take care of the other more important family matters first, before moving on to this matter.

 

[bidawinner]

I'm not that technically savy George, But I'll certainly help anyway I can.. I noticed the "drag" on the site hours before the auction and watched it increrase right up to the auction..

Even I knew that was more than a coincidence..


If I can help in anyway send me a PM..

 

[parwold]

GeorgK, What's a ddos attack, and how can someone do it?

 

[NamePopper.com]

Originally posted by parwold
GeorgK, What's a ddos attack, and how can someone do it?

DENIAL OF SERVICE

http://www.denialinfo.com/ (scroll down for lots of links)

That's pretty old though. Probably some newer/better resources out there.

 

[DrWho]

Try these


http://www.pdos.lcs.mit.edu/~rtm/slides/jason1.ppt

http://staff.washington.edu/dittrich/misc/ddos/

 

[adill420]

Hey,

I would love to help and I have a lot of experience with these kind of stuff. Most likely it was not a Ddos attack since today's networks can easily detect Ddos and drop the packets before they reach their destination. Hopefully we can help make this forum a good place for everyone. Be glad to help in anyway

 

[com]

Although i was also willing to help, being a professional developer i thought my services would be of use, after talking to some members i decided that it is probably best to let the managements handle this. Our 'help' may create additional chaos as we are not aware of all the facts at hand. I have to say that i have a few ideas on the subject, i also have a few thoughts regarding the process of the investigation as i was under an attack like this one twice. Each attack ran up huge bandwidth usage bills but failed to cause any access damages. The attack here might have been more severe. I do feel that posting some 'ideas' and 'thoughts' on the subject we may find ourselves doing more damage then good. In addition this is not what we want our new members to be concentrating on. Lets not draw conclusions and speculate but allow those with the information and resources to handle this.

 

[adill420]

redline.net > great response there, but I think most of us or atleast I responded to help as an intention of securing and avoiding future attacks rather than "trying" to go after who did it. Quite honestly I would'nt want to say its impossible, but it is next to impossible to figure out where the attacks were orignated from and most of all, it wouldn't serve a purpose to try to go after who did it because it would not just take a lot of time but would also need assistance of law enforcement agencies. Best thing to do is making the network such that it would avoid similar attacks. That is all.

 

[WildCard]

Without knowing more specific info, take this as one computer geek's feeling:

I don't believe it was a DOS attack. The site ran slow, but it was managable. This was noticed hours before the auction. A DOS will slow, then kill responsiveness of a server.

Remember when we were trying to login to the auction and within a second or two we were getting login errnr message replies? The server was replying and interacting the best it could.

A DOS attack would have just hung the request.

In my opinion, and take it with the above discliamer, I hold to the belief it was a programming bug.

Just like all bad things that happen around the US are NOT terrorist attacks, not all web problems are DOS attacks.

-WC-

 

[CoolHost.com]

I dunno what a Ddos attack is ... but I'm ready, and right behind you George!! :shy:
See you in the a.m.

 

[parwold]

Originally posted by DrWho
Try these


http://www.pdos.lcs.mit.edu/~rtm/slides/jason1.ppt

http://staff.washington.edu/dittrich/misc/ddos/

Thanks DrWho, just tried the above links, now my brain feels like it's had a ddos attack! can't understand a bloomi'n word, you guys must be rocket scientists to understand that, oh well back to my steam powered computer, it only takes a couple of kettles to get it working. My advice? LEAVE IT TO THE MANAGEMENT. If they want our help i'm sure they will ask.

 

[Fearless]

This attack was very similar the one I described in this old thread.

http://www.dnforum.com/showthread.php?s=&threadid=18857

 

[adill420]

greg: can you verify what port was each ip hitting or was it random ip address hitting random ports?

Here is what MIGHT've happened.

Scenerio 1: If the ips were random as you said from 61 block or 218 block hitting random ip addresses then its a syn attack. What happens is there is an attacking server that sends lots of syn packets to random ports on a specified ip address from random ip addresses within a block of A ip address. You can easily avoid this if you are on a linux server.

Scenerio 2: Randomly check few of those IP addresses that were attacking you and if they do exist then it must be a DDoS attack. Although, majority of the network structures these days are of a standard where DDoS is easily detected and packets are dropped. But not all networks are designed that way. If the IP addresses do exist then it must be a DDoS attack. If this is the case then you surely do need to either contact me so I can provide you some names of people to contact for web police. I used to work with them and they will instantly investigate on those ip addresses. Not all the times DDoS attack source can be traced but most of the time infected machines that attack can be fixed.

That is all.

 

[DNS Kidd]

An attack would most certainly be launched through a proxy server that has been compromised.

The server IP may show up, but in fact the owners may not be aware their network was being used to launch attacks.

If an IP is available, the net manager should be notified that their facilities are being used for sync flood or DDoS. They cannot plead ignorance if it happens another time.

 

[britishangel]

DDS that sounds very familier to the spam world Greg if i can help let me know my brother is a hardcore programmer and coule potentially fix your security problems, if not at least install some kind of moniter...kinda like blackice designated and custom written for the forum. As much as i know guys hate to ask girls for help LOL it's going through me to get to another guy so who knows Let me know if you need his help he'd be more than happy to do it for free Love to all, Angel