I am helping administrate for a free host.
We beleive there may be DoS attacks on the server
WHAT SHOULD I DO?

The best solution is to take the server off for a few hours or else you may run up a huge bandwidth overage bill in addition to many other unpleasant consequences

Are they attacking a specific account?
Stop it.

Are the attacks coming from specific distinations (IP's)?
Block them.

Otherwise, stop the whole server.

In all cases, contact the authorities about it. Run the IP through a whois to find the name of the owner and their email. Email them about the abuse. Include the following into your letter:

- Your name and address
- The attacked IP and port number
- The attacked URL
- The IP the attack is coming from
- The exact time and date of the attack (with the timezone)
- Samples of log records during the attack

Not all DoS attacks come from "one" ip

I mean, people always talk about "reporting" the IP that did it, blah blah

But what if log files show millions of ips hitting you at once? Whether it be a synflood, or whatever.. Which do you pick? Gimmie me a break.

If it's really that bad, find out what IP they are hitting on your machine then unbind it.

How do you get the IPs of the dos attackers?

Not too sure how you can believe you are getting DoS attacks - usually your provider will be able to tell you if they are, and they will block the IP.

Remember a DoS attack is when the network is flooded...

Matt

lol
again

providers can't just "block the IP"

Why do people alwyas think that it's just ONE IP?

It's not like someone is goign to dos you off their cable line. which in that case would be one ip

jeez

anyway

cluster, use IPLOG it is a really good program. It'll log everything. Problem is, when you are getting dos'ed, and say its from millions of ips at once,e.g a synflood.... running iplog isnt a good idea

your system will be busy loggingthe attack..
making it more difficult

you can find it on freshmeat.net


http://freshmeat.net/projects/iplog/?topic_id=43%2C148%2C862

Ok - they can block the range of IPs, or all the IPs used in the DoS attack.

I'm not an expert in the specifics, but its doable - VDI did a good job for us a couple of months back when they had some harsh attacks. I'll see if William can elaborate on what he did.

http://datahawk.verifast.net/mrtg/66.28.252.1_26.html

Some guys is attacking me for sure. I need to know how to block this guy

hmm, clocker1996 - i wonder how you know so much about all this... LOL

I might also hint *ARP Cache* - if you are under attack its very important to clear your arp cache after you have unbound your IP address from the box, then even more important NOT to re-bind the address to check if the attack has stopped :-)

If it is a ping DoS attack you can block ICMP packets with:

ipchains -A input -i eth0 -p ICMP --icmp-type ping -j DENY
ipchains -A input -i eth0 -p ICMP --icmp-type pong -j DENY

Where eth0 is the network interface connected to the Internet.

thats some intense traffic you got flowing there .... Grab a tcpdump of the attack, and post it here - it would help clearify things.

As well, IPLOG is a bad idea , for the reasons clocker1996 noted. TCPDUMP is better as you can pass simple grep/egrep/awk parameters to it and force the output of only the information you need.

Secondly, clocker1996 - your refering to a DDoS attack (multiple host colectivly attacking a single host). But nonetheless your very right about your points. Blocking out (D)DoS attacks is offten not that easy - and offten you do not see single entites pushing enough bandwidth to fork your mrtg graph up as high, as show above. And honestly, as far as blocking the attackers go - most ISP's are not to keen about placing network level filters on a single IP let alone a whole block.

But anyways, just setup some sort of packet sniffer so you can see whats being sent down your servers pipe - then based on the type of attack, try and evade it and minimize its impact should it happen again (Cause stopping [D]DoS attacks is next to impossible).

Also, Ahmad - contacting the authorities wont get you far. For example if your in the USA - if the attack is originating from outside your state/country, the incident becomes a federal matter. So it gets passed onto the FBI. The FBI has to then evaluate and prioritize your incident. Considering that the average Computer Abuse/Fraud case costs the FBI about $100,000 to prosicute, they will offten not persue cases with under (i think) $5,000 in damages. More so, since there are so many incidents the FBI's cyber crime task force (or whatever they call it) must process - it will offten be very long before the case even see's the light of day. This combined with the lack of cooperation from many ISP's - makes prosicuting attackers all to difficult and time consuming.

yeah

not much you can do sometimes

best off unbinding, and getting a new ip