Under massive DDOS attacks help :(

[CoFFee_BeaN]

Ok, where to begin.. I don't know too much about the situation but how do I handle it with this information, just till I get more :

I've been a moderator for a forum on an online game server for a few weeks. Recently our IRC server and our game server were under massive hacker DDOS attacks. The owner Delta (irc.deltaanime.net which is still down from DDOS attacks) has tried everything from filters to changing IP's and God knows what else to fix it. All he can do now more or less reason with the hackers which is kinda sore. All I know is we were being attack by 90mbps DDOS attacks from the members of #cyptik on irc.b00m.net (I do not recommend visiting it). I've told Delta to take it up with their ISP once he resolves the addresses but I don't know what else to do. It looks like these guys are all kiddy hackers that highjacked an Aeso server and stuff

I just wanted to ask is there anything you guys can recommend to me so I can pass the information along? Because this is some really heavy hacking, its been going on since 7:00pm last night and their still attacking and it's 1:30pm the next day here. Until then we're most probably going to reason and wait it out.

Any recommendations guys? (Firewalls, proxies, filters all used unfortunately )

[Spyder32]

Okay, first off stop the coffee. Have a beer. Second off, it isn't major hacking. It's a bunch of kid's who wanna be cool. Now, you say you reported them to their ISP? That is the best thing you can do (other than packet filtering, which I dunno too much about IRC server's and the like) because their ISP can shut them down for violating the ISP's TOS (Term's of Service). So just wait for the ISP to contact them and they will handle them.

[Soda_Popinsky]

Are they DDoSing a vulnerability, or just DDoSing in general? You may want to update all the IRC software you are using, and check for patches.

Also, what are your specs? OS, servers, other services?

You may want to go into a "lockdown" mode if your server isn't very popular. Block everyone but regular visitors, until the group moves on. I haven't had a direct experience with a DDoS though, so I may be talking out of my ass here.

edit: Spyder-

In a DDoS, the hackers IP isn't really supposed to be revealed, its all the zombies IP's that are, and it's unreasonable to call all the ISP's in a zombie flood IMO. And if you do have the attackers IP, I doubt it's their actually theirs, but instead a proxy from bumble.

If you are sure you have their IP, by all means, block the sucker at the router, and call the ISP.

[CoFFee_BeaN]

I have a PM from the owner of the IRC server (I personally don't know his specs and software) they had idled in the hackers channel long enough to find the jerk forgetting his proxy. Apparently its a box from Korea, currently their going to contact his ISP after resolving it, but in the case it doesn't work out any other suggestions? Like can Spyder walk on over give him a nice beating with a baseball bat and walk out? lol :P

[Soda_Popinsky]

I really doubt you could afford something like this, but if you are a part of a major web site with some money?

http://www.akamai.com

Load management?

[Spyder32]

If you are sure you have their IP, by all means, block the sucker at the router, and call the ISP.

It sounded as if he was sure he had their IP which is why I suggested it.

Like can Spyder walk on over give him a nice beating with a baseball bat and walk out?

Uhhh, sure? Why not..

[muert0]

This may be wrong but if they are hitting you with a certain type of packet say SYN. Can you just block that type of packet at the router?

[Darksnake]

Yes you can block their ips, filter packets and such but you still have all that traffic taking up your pipe. All your gonna do is prevent it from reaching the internal network causing damage. It will however slow everything at the point of filtering to a possible crawl which is none the better. If possible see if you can get another ip and rederict the desired traffic as a temp fix or possible perm fix until things with the "hackers" can be settled.

[instronics]

Hmm, i would say that IP blocking is very hard in this situation. How many of you here have actually seen the logfiles of a DoS attack? Every hit comes from another IP, and NON of them is actually from the attacker. Its a bunch of zombies. DoS bots attacks in order to be succesfull need atleast 50 infected hosts... and a normal amount of zombies can reach upto 1000 infected systems. We have had same issues a long time ago.... all we could do is wait till the skiddies got bored.........

The other thing you have todo, patch everything that needs patching, and make sure your firewall is configured correctly. Not that it will do a BIG difference, but it might if the attackers have a smaller amount of DoS bots at hand.

[note] It doesnt have to be DoS bots... but for skiddies, its 80% likely that it is (SGBOTS) [/note]

Cheers.


--edit /addon

Nowadays, its not easy for irc users to use dos bots on public irc servers without the knowledge of the irc admins.... that means that the irc admins are in on it (friends with the attackers), or they use a hidden private ircd to load the bots too.

Cheers.

[muert0]

I've posted this before but it's a pretty good example of a DDoS i believe.
http://www.grc.com/dos/grcdos.htm
Seems to be down right now but it might just be my computer.