On 14-May-01 Gediminas Grigas [home] wrote:
Hello,
I`m recently under heavy attack from an l33t hax0r kiddie. Hes using lots of proxies to access my banner exchange (i mean real lots - hundrets and hundrets) - he was able to add new hosts faster than i was able to lock them out wit ipchains (like 10 hosts/min or so). [...] However that kiddie started abusing my exchange from his real IP (an biggest ISP dial-up service). I cannot lock-out this ISP becouse i would lock 10.000 users as well. So i`m forced to monitor whats happening everytime and lock him once in a while, or server load will jump from 0.4 to 10.00 on my P-III 1Ghz host. [...] Could anybody pass me an idea how to fight against such attacks? On other hand - i remember someone once said that he has an "legal request to ISP against hackers" or so... some nice warning text to send to ISP on detection of intrusion or DoS. Could you please refer me to it?
If your ISP really is so reluctant to help you fighting against DoS attacks you should first review the ISP�s user policy and look for paragraphs covering inacceptable user behaviour (spam, cracking, warez, etc.). If such paragraphs exist (and I hardly believe they don�t), note them down and use them in your complaints to your ISP. Next, you should set up some kind of intrusion detection/monitoring/sniffing tool to record the DoS attempts in detail (time and type of attack, IP address, etc.). You may find tcpdump (http://www.tcpdump.org), sniffit (http://sniffit.rug.ac.be/sniffit/sniffit.html) or snort (http://www.snort.org) usefull for this. Most of these tools come with decent documentation, so it should be not too difficult to set them up and use them. Then go and collect data of the incidents which give you trouble, compile them decently (e. g. get rid of non-attack entries) and send it to your ISP, together with a request for investigation. If your ISP does not answer your request, try and find the upstream provider for this ISP and direct your complaints to them (use the usual facilities like whois or some popular online-tool websites (like http://www.samspade.org) to find them out). Finally, take a look at http://www.cert.org/tech_tips/incident_reporting.html, at the incident forum at http://www.whitehats.com or at http://www.securityportal.com/cover/coverstory20000515.html for more information about incident handling and proper response. Good luck. [...]
Thanks
Best regards, Gediminas Grigas Tel.: (2)226036; (86) 55362 Techninis direktorius Fax.: (2)627986 UAB "Dizaino kryptis" A.Jaksto 9-233, Vilnius, Lietuva 2001 mailto:gedas@kryptis.lt
--- Boris Lorenz <bolo@lupa.de> System Security Admin *nix - *nux ---