Possible DDoS

[Cheeseball]

Earlier today the gaming clan I am part of starting receiving "tons" of request for a single image. The Log file on IIS looks like this:

Code:

2004-07-22 18:45:56 W3SVC1407829882 WEBSERVER1 XXX.XXX.XXX.XXX GET /wallpaper/wallpaper/best_Nuke_chrome.jpg - 80 - 163.28.33.228 HTTP/1.0 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.0.3705) - www.oursite.com 404 0 2 1814 325 203
2004-07-22 18:45:56 W3SVC1407829882 WEBSERVER1 XXX.XXX.XXX.XXX GET /wallpaper/wallpaper/best_Nuke_chrome.jpg - 80 - 202.28.27.2 HTTP/1.0 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.0.3705) - www.oursite.com 403 6 0 1733 372 421
2004-07-22 18:45:56 W3SVC1407829882 WEBSERVER1 XXX.XXX.XXX.XXX GET /wallpaper/wallpaper/best_Nuke_chrome.jpg - 80 - 200.110.16.18 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.0.3705) - www.oursite.com 404 0 2 1814 238 843
2004-07-22 18:45:56 W3SVC1407829882 WEBSERVER1 XXX.XXX.XXX.XXX GET /wallpaper/wallpaper/best_Nuke_chrome.jpg - 80 - 163.28.33.228 HTTP/1.0 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.0.3705) - www.oursite.com 404 0 2 1814 325 203
2004-07-22 18:45:56 W3SVC1407829882 WEBSERVER1 XXX.XXX.XXX.XXX GET /wallpaper/wallpaper/best_Nuke_chrome.jpg - 80 - 80.58.8.235 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.0.3705) - www.oursite.com 404 0 2 1795 365 140
2004-07-22 18:45:57 W3SVC1407829882 WEBSERVER1 XXX.XXX.XXX.XXX GET /wallpaper/wallpaper/best_Nuke_chrome.jpg - 80 - 200.163.234.2 HTTP/1.0 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.0.3705) - www.oursite.com 404 0 2 1819 352 234
2004-07-22 18:45:57 W3SVC1407829882 WEBSERVER1 XXX.XXX.XXX.XXX GET /wallpaper/wallpaper/best_Nuke_chrome.jpg - 80 - 80.58.3.239 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.0.3705) - www.oursite.com 404 0 2 1795 369 125
2004-07-22 18:45:57 W3SVC1407829882 WEBSERVER1 XXX.XXX.XXX.XXX GET /wallpaper/wallpaper/best_Nuke_chrome.jpg - 80 - 198.26.118.37 HTTP/1.0 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.0.3705) - www.oursite.com 404 0 2 1814 277 62
2004-07-22 18:45:57 W3SVC1407829882 WEBSERVER1 XXX.XXX.XXX.XXX GET /wallpaper/wallpaper/best_Nuke_chrome.jpg - 80 - 203.124.132.125 HTTP/1.0 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+.NET+CLR+1.0.3705) - www.oursite.com 403 6 0 1733 353 2718

basically every request was from a machine that appears to have been configured the "exact" same way (i.e. Windows XP, IE 6.0, with the .net framework). This is just an example of the log (a snippet of it anyway, I'm sure no one wants to see the 3 meg log file since this started). So far to resolve the issue we have just renamed that file, however, I'm curious if anyone knows how the request would be getting sent to the "zombie" machines (in one case the IP address that is attacking us appears to be a cisco router, most likely a cisco DSL modem with a machine that is doing the attacking natted behind it). I'm guessing it is getting request via an IRC channel. Anyone got any good ideas on tracking this down?

Thanks in advance
Cheeseball