Anyone have any ideas on how to stop the following attack?

Here's a sample of my tcpdump.


14:45:12.370515 adsl-66.51.196.47.dslextreme.com.6970 > lashoppingcenter.com.23970: udp 620
14:45:12.678535 adsl-66.51.196.47.dslextreme.com.6970 > lashoppingcenter.com.23970: udp 620
14:45:12.837133 adsl-66.51.196.47.dslextreme.com.6970 > lashoppingcenter.com.23970: udp 620
14:45:13.036056 adsl-66.51.196.47.dslextreme.com.6970 > lashoppingcenter.com.23970: udp 620
14:45:13.374049 adsl-66.51.196.47.dslextreme.com.6970 > lashoppingcenter.com.23970: udp 620
14:45:13.533041 adsl-66.51.196.47.dslextreme.com.6970 > lashoppingcenter.com.23970: udp 620
14:45:13.761696 adsl-66.51.196.47.dslextreme.com.6970 > lashoppingcenter.com.23970: udp 620
14:45:14.069554 adsl-66.51.196.47.dslextreme.com.6970 > lashoppingcenter.com.23970: udp 620
14:45:14.291607 adsl-66.51.196.47.dslextreme.com.6970 > lashoppingcenter.com.23970: udp 620
14:45:14.487016 adsl-66.51.196.47.dslextreme.com.6970 > lashoppingcenter.com.23970: udp 620
14:45:14.735454 adsl-66.51.196.47.dslextreme.com.6970 > lashoppingcenter.com.23970: udp 620
14:45:14.983802 adsl-66.51.196.47.dslextreme.com.6970 > lashoppingcenter.com.23970: udp 620
14:45:15.152703 adsl-66.51.196.47.dslextreme.com.6970 > lashoppingcenter.com.23970: udp 620
14:45:15.464335 adsl-66.51.196.47.dslextreme.com.6970 > lashoppingcenter.com.23970: udp 620
14:45:15.649810 adsl-66.51.196.47.dslextreme.com.6970 > lashoppingcenter.com.23970: udp 620
14:45:15.851817 adsl-66.51.196.47.dslextreme.com.6970 > lashoppingcenter.com.23970: udp 620
14:45:16.186256 adsl-66.51.196.47.dslextreme.com.6970 > lashoppingcenter.com.23970: udp 620
14:45:16.348919 adsl-66.51.196.47.dslextreme.com.6970 > lashoppingcenter.com.23970: udp 620
14:45:16.574030 adsl-66.51.196.47.dslextreme.com.6970 > lashoppingcenter.com.23970: udp 620
14:45:16.862070 adsl-66.51.196.47.dslextreme.com.6970 > lashoppingcenter.com.23970: udp 620
14:45:17.073906 adsl-66.51.196.47.dslextreme.com.6970 > lashoppingcenter.com.23970: udp 620
14:45:17.243046 adsl-66.51.196.47.dslextreme.com.6970 > lashoppingcenter.com.23970: udp 620
14:45:17.531066 adsl-66.51.196.47.dslextreme.com.6970 > lashoppingcenter.com.23970: udp 620
14:45:17.716539 adsl-66.51.196.47.dslextreme.com.6970 > lashoppingcenter.com.23970: udp 620
14:45:17.945877 adsl-66.51.196.47.dslextreme.com.6970 > lashoppingcenter.com.23970: udp 620
14:45:18.246396 adsl-66.51.196.47.dslextreme.com.6970 > lashoppingcenter.com.23970: udp 620
14:45:18.432159 adsl-66.51.196.47.dslextreme.com.6970 > lashoppingcenter.com.23970: udp 620
14:45:18.630773 adsl-66.51.196.47.dslextreme.com.6970 > lashoppingcenter.com.23970: udp 620
14:45:18.949076 adsl-66.51.196.47.dslextreme.com.6970 > lashoppingcenter.com.23970: udp 620
14:45:19.134541 adsl-66.51.196.47.dslextreme.com.6970 > lashoppingcenter.com.23970: udp 620
14:45:19.303759 adsl-66.51.196.47.dslextreme.com.6970 > lashoppingcenter.com.23970: udp 620
14:45:19.674293 adsl-66.51.196.47.dslextreme.com.6970 > lashoppingcenter.com.23970: udp 620
14:45:19.833489 adsl-66.51.196.47.dslextreme.com.6970 > lashoppingcenter.com.23970: udp 620
14:45:20.028856 adsl-66.51.196.47.dslextreme.com.6970 > lashoppingcenter.com.23970: udp 620


I get these attacks(and several other types) just about everyday. If my provider charges me for all this, I'm gonna go broke soon. Anyone have any ideas on how to stop them at the server level?

I tried the /sbin/route command to reject all ip's associated, but no luck.

Any help would greatly be appreciated

check your private message.

What OS are you running?

If Linux, which kernel? Do you have iptables built-in within your kernel, or done as a module?

If you have it as a module, enter

"modprobe iptables"

If you kernel < 2.4.xx , then you should use "ipchains" ...

Then, you can use iptables/ipchains to drop those packages, and at least save your processor from doing that... other than that, your network interface will still have the traffic, and you will have to ask your host to drop this bastard.

The box that's getting attacked is using Red Hat 7.2. I'm using both iptables and route to reject all ip's/domains associated, but it keeps eating on my traffic. I don't see it working.

Are you saying that iptables only prevents the cpu from being used, and that it doesn't block the traffic? If that is the case, isn't there another way to do it, other than calling up the provider?

I have a new attack almost everyday, so calling them up to block a new ip everyday isn't really an option.... too much of a hassle.

Well, iptables is software... before the software receives the UDP package, it has to go over the interface (eth0 for example) ... so basically, you can't prevent getting traffic with doing software, since in the end, you will need to receive the data before you can block it.

There are some hardware solutions for this, question is if you want it ($$$)

That's not good. If iptables and other software can't block the traffic, then I'm in trouble. Anyone know any good hardware solutions?

I would contact his DSL provider. Let them know that he eats a lot of bandwidth, and try to relate it in a way that they realize that he is hogging their bandwidth too (once his traffic reaches the DSL borderrouter, it must affect the provider in some way).

Also, have you done an nmap localhost? Do you have that port open and listening?

Hope this helps :)

Regards,

Andres

Yeah, this guy is like an annoying bug. He's been at it for the last 30+ hours. I doubt his DSL provider (if that's in fact where it's coming from) will do anthing about it.

There has got to be a way to stop this guy from eating my bandwidth, besides having the provider do it for you (they have done nothing).




Originally posted by denisdekat
I would contact his DSL provider. Let them know that he eats a lot of bandwidth, and try to relate it in a way that they realize that he is hogging their bandwidth too (once his traffic reaches the DSL borderrouter, it must affect the provider in some way).

Hi

As a matter of fact Internet providers do nothing to prevent DOS attacks. You may send them a tons of mail, but ... silence in reply.

Maybe there is a time to concoct a mass fighting against DOS-man?

We know only one good way - unroute attacked IP


Regards.

P.S. It would be great to find DOS-man location, but how?

Give money to some ISP worker, get address of this guy, come to hes house with bat and break hes fingers :) i think it's 100% way

request new ips.

That's a good idea, but a bit inconvenient because I can't request new IP's everytime new attacks prop up. I've only had the server online for less than 2 months.




Originally posted by clocker1996
request new ips.

uhm
if u have all new ips
they wont be atttacking you
theywont know the new ips

Originally posted by provet
Give money to some ISP worker, get address of this guy, come to hes house with bat and break hes fingers :) i think it's 100% way

Especially it was cool about fingers :) ... and "but" :)

Regards

i'm assuming this is a dedicated server, did you try calling your provider and asking them to add a rule on their firewalls to block/reject, try that, be sure to tell them you have proof and if they don't really try to help in one way or another, you might want to start looking at a host that seems to care about their customers.

They won't, if they're not specifically targeting one of my domains. If they are targeting one of my domains, then isn't kind of a waste of time to change ips? All they have to do is to ping to get my new ip.



Originally posted by clocker1996
uhm
if u have all new ips
they wont be atttacking you
theywont know the new ips

well you sit here complaining

do something then

im trying to give you advice

move to another provider who will provide better fw support

rackmy has good fw'ing

blocking the traffic on your box will do nothing. Once the data hits your box you'll get charged.

Ask your upstream provider to block, drop or null route the ip and/or contact abuse@hisisp.com and see if you can have them drop him.

:mad:

try this from the command line

route add hisip reject

I've tried all that ... quite a few times.... My provider has tried contacting them... I've tried contacting them... They simply ignore.

As for asking my provider to block the ip.... I've requested that... but they either don't know how.... or don't want to. Probably the latter.




Originally posted by jstout
blocking the traffic on your box will do nothing. Once the data hits your box you'll get charged.

Ask your upstream provider to block, drop or null route the ip and/or contact abuse@hisisp.com and see if you can have them drop him.

route and iptables won't work, cuz as mentioned before... once the traffic hits your port, you'll be charged for it.






Originally posted by miami_g
:mad:

try this from the command line

route add hisip reject

this is a sign from god to MOVE out of there.

yes the person above is correct, it's a sign to get the heck out.

Your NOC should be able to atleast block that ip at the router or the switch. I understand it's easy to do and there is no down time.

mike

If this were a dedicated server, I would have moved a long time ago. However, since this is a high-end server that's co-located... it's going to be tough to coordinate the move without down-time.... unless I buy an additional server.

Also, I only know of one other place around here that co-locates in my price range... but they charge by 95th percentile.... so I'm a bit reluctant cuz if similar attacks carry over to there, I would have to sell my house, dog, and one of my kidneys just to pay for the bandwidth.

I'm going to give it one more try... if it fails, It's moving time.