Hello, Thanks to all for responses. That kiddie still abuses my server like 10 queries/sec. It seems like its not proxy`ing - Hes somehow fakes his IP`s, becouse its endless list, and some of those IP`s (~8-10%) basicly does not exists (or does not respond to ping/traceroute; I hardly can belive that somebody closed ICMP and left open proxy or even worse...) So, i made my script to recognize his calls, and exit fast, so damage is now kind of minimal (like 5% of CPU and full logs of trash). However its sad to think that there is not much i can do, except wait when this guy gets bored. Is there ANY chances fight against spoofed IP`s? Its surely one way call, however, server is very vulnerable to this. What if such guy gets on leased line - not on dial-up. He could make 100 calls/second with almost no chance to trace. Is there any tool to block/recognize/delay/check for spoofed IP`s? Maybe those spoofed packets could be logged on he`s ISP`s gw router? (I think i know which ISP`s service he`s using) Still i cant understand why that router routes such packets becouse none of them belongs to that network. I`m not a big expert in routing, but its seems weird to me. Original story was: ----------------------------------------------------------------- Hello, I`m recently under heavy attack from an l33t hax0r kiddie. Hes using lots of proxies to access my banner exchange (i mean real lots - hundrets and hundrets) - he was able to add new hosts faster than i was able to lock them out wit ipchains (like 10 hosts/min or so). So its ended by that i changed input policy to DENY and set ACCEPT only for lithuanian ISP`s (about 40 major subnets). But thats not solution, becouse system is now locked from outside Lithuania. However that kiddie started abusing my exchange from his real IP (an biggest ISP dial-up service). I cannot lock-out this ISP becouse i would lock 10.000 users as well. So i`m forced to monitor whats happening everytime and lock him once in a while, or server load will jump from 0.4 to 10.00 on my P-III 1Ghz host. I connot do anything in legal way - becouse we dont have anything in our law system against "l33t hax0rs", besides that isp has terrible support and monopoly, so it will probably even dont bother to respond to my requests. My question would be - is there an tool which could run with apache to automaticly lock host for some time if it tryies access system more that 10 times per minute or so? Could anybody pass me an idea how to fight against such attacks? On other hand - i remember someone once said that he has an "legal request to ISP against hackers" or so... some nice warning text to send to ISP on detection of intrusion or DoS. Could you please refer me to it? Sorry for my broken english. Hope you got the matter. P.S. Host running SuSE 7.1 with 2.2.x kernel Thanks ---------------------------------------------------------------------- -- Best regards, Gediminas mailto:gedas@kryptis.lt