[Dshield] Substantial DDoS: Forensics?

David Cary Hart DShield at TQMcube.com
Thu Aug 17 22:14:44 GMT 2006


On Thu, 17 Aug 2006 15:21:05 -0400, "Scott Melnick"
<smelnick at water.com> opined:
> > Fortunately, I was running a tail and I saw this pretty early
> > (although the server did crash). The question is this; Has anyone
> > out there been able to develop a pattern from the IP addresses
> > and the firewall (IPtables) log to track down the source? BTW,
> > they have a common user agent.
> 
> Dave,
> 
> If it's a DDos attack indeed then I imagine it would be difficult to
> develop a pattern from the attacking IP's as they are probably
> compromised Zombie machines that are part of a BOT net and will be
> different quite frequently.
> 
> 
Yup. Another flood started about an hour ago. It's somewhat under
control but I now have too many firewall rules. Given that there
is no referrer on ANY of these, I am virtually certain that it is a
DDoS. 
-- 
Our DNSRBL - Eliminate Spam at the Source: http://www.TQMcube.com
               Don't Subsidize Criminals: http://boulderpledge.org


More information about the list mailing list