Under massive DDOS attacks help :(
Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Under massive DDOS attacks help :(

  1. #1
    Junior Member
    Join Date
    Jun 2004
    Posts
    2

    Under massive DDOS attacks help :(

    Ok, where to begin.. I don't know too much about the situation but how do I handle it with this information, just till I get more :

    I've been a moderator for a forum on an online game server for a few weeks. Recently our IRC server and our game server were under massive hacker DDOS attacks. The owner Delta (irc.deltaanime.net which is still down from DDOS attacks) has tried everything from filters to changing IP's and God knows what else to fix it. All he can do now more or less reason with the hackers which is kinda sore. All I know is we were being attack by 90mbps DDOS attacks from the members of #cyptik on irc.b00m.net (I do not recommend visiting it). I've told Delta to take it up with their ISP once he resolves the addresses but I don't know what else to do. It looks like these guys are all kiddy hackers that highjacked an Aeso server and stuff

    I just wanted to ask is there anything you guys can recommend to me so I can pass the information along? Because this is some really heavy hacking, its been going on since 7:00pm last night and their still attacking and it's 1:30pm the next day here. Until then we're most probably going to reason and wait it out.

    Any recommendations guys? (Firewalls, proxies, filters all used unfortunately )

  2. #2
    Senior Member
    Join Date
    Oct 2002
    Posts
    4,055
    Okay, first off stop the coffee. Have a beer. Second off, it isn't major hacking. It's a bunch of kid's who wanna be cool. Now, you say you reported them to their ISP? That is the best thing you can do (other than packet filtering, which I dunno too much about IRC server's and the like) because their ISP can shut them down for violating the ISP's TOS (Term's of Service). So just wait for the ISP to contact them and they will handle them.
    Space For Rent.. =]

  3. #3
    Are they DDoSing a vulnerability, or just DDoSing in general? You may want to update all the IRC software you are using, and check for patches.

    Also, what are your specs? OS, servers, other services?

    You may want to go into a "lockdown" mode if your server isn't very popular. Block everyone but regular visitors, until the group moves on. I haven't had a direct experience with a DDoS though, so I may be talking out of my ass here.

    edit: Spyder-

    In a DDoS, the hackers IP isn't really supposed to be revealed, its all the zombies IP's that are, and it's unreasonable to call all the ISP's in a zombie flood IMO. And if you do have the attackers IP, I doubt it's their actually theirs, but instead a proxy from bumble.

    If you are sure you have their IP, by all means, block the sucker at the router, and call the ISP.

  4. #4
    Junior Member
    Join Date
    Jun 2004
    Posts
    2
    I have a PM from the owner of the IRC server (I personally don't know his specs and software) they had idled in the hackers channel long enough to find the jerk forgetting his proxy. Apparently its a box from Korea, currently their going to contact his ISP after resolving it, but in the case it doesn't work out any other suggestions? Like can Spyder walk on over give him a nice beating with a baseball bat and walk out? lol :P

  5. #5
    I really doubt you could afford something like this, but if you are a part of a major web site with some money?

    http://www.akamai.com

    Load management?

  6. #6
    Senior Member
    Join Date
    Oct 2002
    Posts
    4,055
    If you are sure you have their IP, by all means, block the sucker at the router, and call the ISP.
    It sounded as if he was sure he had their IP which is why I suggested it.

    Like can Spyder walk on over give him a nice beating with a baseball bat and walk out?
    Uhhh, sure? Why not..
    Space For Rent.. =]

  7. #7
    BANNED
    Join Date
    Nov 2003
    Location
    San Diego
    Posts
    724
    This may be wrong but if they are hitting you with a certain type of packet say SYN. Can you just block that type of packet at the router?
    When death sleeps it dreams of you...

  8. #8
    Senior Member
    Join Date
    Jul 2002
    Location
    Texas
    Posts
    168
    Yes you can block their ips, filter packets and such but you still have all that traffic taking up your pipe. All your gonna do is prevent it from reaching the internal network causing damage. It will however slow everything at the point of filtering to a possible crawl which is none the better. If possible see if you can get another ip and rederict the desired traffic as a temp fix or possible perm fix until things with the "hackers" can be settled.
    <chsh> I've read more interesting technical discussion on the wall of a public bathroom than I have at AO at times

  9. #9
    Antionline's Security Dude instronics's Avatar
    Join Date
    Dec 2002
    Posts
    901
    Hmm, i would say that IP blocking is very hard in this situation. How many of you here have actually seen the logfiles of a DoS attack? Every hit comes from another IP, and NON of them is actually from the attacker. Its a bunch of zombies. DoS bots attacks in order to be succesfull need atleast 50 infected hosts... and a normal amount of zombies can reach upto 1000 infected systems. We have had same issues a long time ago.... all we could do is wait till the skiddies got bored.........

    The other thing you have todo, patch everything that needs patching, and make sure your firewall is configured correctly. Not that it will do a BIG difference, but it might if the attackers have a smaller amount of DoS bots at hand.

    [note] It doesnt have to be DoS bots... but for skiddies, its 80% likely that it is (SGBOTS) [/note]

    Cheers.


    --edit /addon

    Nowadays, its not easy for irc users to use dos bots on public irc servers without the knowledge of the irc admins.... that means that the irc admins are in on it (friends with the attackers), or they use a hidden private ircd to load the bots too.

    Cheers.
    Ubuntu-: Means in African : "Im too dumb to use Slackware"

  10. #10
    BANNED
    Join Date
    Nov 2003
    Location
    San Diego
    Posts
    724
    I've posted this before but it's a pretty good example of a DDoS i believe.
    http://www.grc.com/dos/grcdos.htm
    Seems to be down right now but it might just be my computer.
    When death sleeps it dreams of you...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •