[Dshield] Substantial DDoS: Forensics?
ge at linuxbox.org
Thu Aug 17 01:35:39 GMT 2006
What was the attacked server?
On Wed, 16 Aug 2006, David Cary Hart wrote:
> Using swatch for adaptive firewalling, I have now added about 2,500
> IPs to the firewall (I have also taken some CGI off line). The list
> is growing by the minute.
> Fortunately, I was running a tail and I saw this pretty early
> (although the server did crash). The question is this; Has anyone out
> there been able to develop a pattern from the IP addresses and the
> firewall (IPtables) log to track down the source? BTW, they have a
> common user agent.
> I haven't done a geographic breakdown yet but my quick take is that
> they seem widely distributed.
> Any help would be appreciated.
> Our DNSRBL - Eliminate Spam at the Source: http://www.TQMcube.com
> Don't Subsidize Criminals: http://boulderpledge.org
> SANS Network Security 2006 - Las Vegas NV October 1st-9th.
> Wide selection of 1-6 Day Courses. Top Instructors!
> Details: isc.sans.org/clickcount.php?ad=1
> (use Brochurcode "ISC")
> "Best IT Security return on Investment" (Mario Chiock, Schlumberger)
More information about the list