Mailinglist Archive: opensuse-security (232 mails)

< Previous Next >
Re: [suse-security] Under DDoS Attack
  • From: media Formel4 <info@xxxxxxxxxx>
  • Date: Thu, 27 Oct 2005 19:09:28 +0200
  • Message-id: <436109C8.4010104@xxxxxxxxxx>
Timothy Hall schrieb:
Another suggestion...

If you are able to produce a list using netstat and output it into a
text file, you may then be able to narrow down networks from which the
attack is originating. Afterwards, you can contact your upstream ISP
and they will be more than happy to block the rogue traffic from
reaching your network. They are quite happy to work with folks on
things such as this as very often the traffic also effects others that
they host services for by simply 'busying' things up with useless
traffic...

Looking at the sorted list I'm lucky finding 3 or 4 IPs coming from the same class-B network... Blocking out those whole ranges would mean "blocking the whole internet". Pretty secure, but not really useable.

Just to give you an image of what I'm talking, here is the end of the sorted block list:

86.141.169.190
86.192.209.103
86.192.228.171
86.193.197.64
86.195.240.239
86.195.241.164
86.197.89.113
86.199.116.107
86.200.119.203
86.39.49.163
86.39.49.209
86.40.11.182
86.42.46.152
86.42.6.96
86.52.121.189
86.56.128.235
87.116.186.194
87.207.57.195
87.248.16.153
87.49.46.196
87.74.14.181
87.74.44.193
87.81.180.177
87.89.129.200
88.104.169.188
88.105.188.79
88.105.203.170
88.106.14.128
88.107.172.176
88.107.37.73
88.109.124.30
88.110.131.17
88.110.150.174
88.110.37.239
88.110.67.130
88.110.68.53
88.111.71.32
88.111.75.8

As you can see: They've got not much in common...

I'm still not sure that they aren't spoofed. During the last hours I blocked more than 6000 IPs and per minute the count raises by 30 - 40...



< Previous Next >
List Navigation
Follow Ups
References