Recently I have got numerous amounts of attack attemts to one of my hosted domains. Portsentry emails show that all comes from various ip's at earthlink. When checking the ip's they all show up as adsl users.

Any good ideas on how to proceed would be highly appreciated, thanks.

Nordic

contact earthlink for a start give them logs, dates, times, ip's and they can follow it up from there, if they do nothing about it then threaten legal action unless it ceases.

If its a DDoS then GOOD LUCK because its almost impossible to stop them !!, check out www.grc.com to find out why :)

Yes,

I sent eartlink all the info and we'll see what happens. Have also notified VDI where I'm located.

Maybe it just pisses someone off and make it worse. I could understand it if the site was offending someone but it's a simple automotive site selling catalytic converters:confused:

Interesting article by the way.

Nordic

I wouldn't hold your breath for any type of useful action of Earthlink's part. I've attempted to deal with their abuse department before to no avail. Banging your head against a brick wall is likely to produce a better result. :angry:

I have dealt with earthlink on two ocassions, and in both cases, they did nothing to resolve the problems.

We had two machines getting hammered by portscans, exploit test, etc. both comming from Earthlink ADSL lines. We collected the log files and sent them to Earthlink asking them to investigate. Nothing happened and the attacks continued.

Eventually, the hackeers foudn found an open hole in an old SunOS 4.0 box and dropped in an IRC bot. Fortunately, we were monitoring that sub-domain closely and quickly stopped the intrusion.

We sent the intrusion data to Earthlink. Although they said they would disable that users acocunt, attacks continued. As a result, we had to block the ADSL IP range at our firewall. Fortunately, the servers as used primarilly for intranet purposes.

You may want to simply block that IP range for a while. Yeah, this may stop some users from getting into your site, but if the hacker thinks the machine has been secured -- maybe they will go look for other people to harass.

Exactly what I looking to do, because so far not a word from them. My situation is about the same as you had and the concern that I have is that others that are using earthlink can't get to the site. The company is located at the same city as where the attacks comes from, maybe a competitor or just someone that wants to harass some local businesses.

Anyway I'll block the IP ranges for now, thanks.

Nordic

Usually a company will not respond unless there was $5,000+ in damages and lost revenue due to the attack, the FBI also takes this stance, so if you have a larger site, just block all Earthlink ADSL IP ranges, and post a page on your site declearing why you have done this, or use IP forwarding, to forward the users from that IP, to another server, thats not on your network, with the attack information and why you blocked it, maybe the people will complain to there ISP, Earthlink, and your situation may be resolved, of course no fool proof way to stop them, and to get Earthlink to react....

Actually, I've generally had good experiences with MOST ISPs regarding abuse (spam, hacking attempts, etc.). It almost seems the bigger the ISP in question is, the less responsive their abuse dept. is.

On the brighter side, I made a complaint to Concentric about a spam site that hosted a script for spam that some child porn sites used. Didn't hear back from them but just in a couple of hors the site was gone. Good work from concentric.

Regarding this, I will block everything from earthlink for now.

Nordic