Timothy Hall schrieb:
Another suggestion...
If you are able to produce a list using netstat and output it into a text file, you may then be able to narrow down networks from which the attack is originating. Afterwards, you can contact your upstream ISP and they will be more than happy to block the rogue traffic from reaching your network. They are quite happy to work with folks on things such as this as very often the traffic also effects others that they host services for by simply 'busying' things up with useless traffic...
Looking at the sorted list I'm lucky finding 3 or 4 IPs coming from the same class-B network... Blocking out those whole ranges would mean "blocking the whole internet". Pretty secure, but not really useable. Just to give you an image of what I'm talking, here is the end of the sorted block list: 86.141.169.190 86.192.209.103 86.192.228.171 86.193.197.64 86.195.240.239 86.195.241.164 86.197.89.113 86.199.116.107 86.200.119.203 86.39.49.163 86.39.49.209 86.40.11.182 86.42.46.152 86.42.6.96 86.52.121.189 86.56.128.235 87.116.186.194 87.207.57.195 87.248.16.153 87.49.46.196 87.74.14.181 87.74.44.193 87.81.180.177 87.89.129.200 88.104.169.188 88.105.188.79 88.105.203.170 88.106.14.128 88.107.172.176 88.107.37.73 88.109.124.30 88.110.131.17 88.110.150.174 88.110.37.239 88.110.67.130 88.110.68.53 88.111.71.32 88.111.75.8 As you can see: They've got not much in common... I'm still not sure that they aren't spoofed. During the last hours I blocked more than 6000 IPs and per minute the count raises by 30 - 40...