[Dshield] DNS DOS attempt. need a bit of help

Johannes B. Ullrich jullrich at sans.org
Mon Jan 26 19:01:55 GMT 2004


The first thing to do if you are under an DOS attack is to notify your
ISP and ask them for help in blocking it as far away from you as
possible. They may also be able to trace it to a particular upstream
provider (e.g. if they are multi-homed). In particular if the source
is spoofed, your ISP may be able to coordinate back tracing the attack.

For example, your ISP may find that all the DDOS traffic to your site
comes form a particular upstream link. They can stop announcing that
particular IP address to this upstream, or just pickup the phone and 
give their NOC a call.

DDOS attacks have a habit of becoming worse very quickly, so the earlier
you add the right extension at your ISPs help desk to your
rolodex the better. This is also the time where you will find out if
your ISP is any good ;-). DDOS mitigation can be time consuming. So
don't expect a lot of sympathy and help if you have a $10/month dialup
account. But as a business account user with SLA, you should expect
your ISP to spent some effort in mitigating a (d)DOS attack.




For 217.120.182.35, try to contact abuse at home.nl. 



On Mon, 2004-01-26 at 13:06, Stephane Grobety wrote:
> Hello,
> 
> Since last week, my server is the target of a DOS atempt against DNS.
> Some IPs in Holland tries to saturate the server with root requests
> (at a arte of several thousands per seconds). The server is holding
> out without problem (it's configured to auto-block anyone sending more
> than 100 requests per seconds and I have also blocked the specific IP
> on the IP level) but I would like this assault to stop.
> 
> The attacker is 217.120.182.35 wich is a DSL address in home.nl. My
> main problem is that I'm strictly unable to read their web page in
> order to find neither their phone number nor their abuse address.
> Could someone who understand the language give me a hand there ?
> 
> My other problem is the following: This particular attacker is pretty
> dumb but I'm worried at what could happen if he brightens up and start
> spoofing it's source IP, either with random IPs, making it impossible
> for me to simply block him based on that criteria or using IPs of
> innocent third-parties which would either make my machine deny service
> to them or effectively using my DNS server as a traffic amlifier,
> flooding them with UDP packets. What kind of counter-measures exists
> to stop that kind of issues ?
> 
> Thanks,
> Stephane
> 
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
-- 
CTO SANS Internet Storm Center               http://isc.sans.org
phone: (617) 837 2807                          jullrich at sans.org 

contact details: http://johannes.homepc.org/contact.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://www.dshield.org/pipermail/list/attachments/20040126/fcb187ef/attachment.bin


More information about the list mailing list