 | View Full Version : DoS attacks interactive 12-01-2002, 07:05 PM Alright this mofo has been dos'ing me for like 3 days straight. Its one of my game servers and its really irratating me. I know he's proxying right and left. He has like 500 apache processes going. His ip right now is 66.76.93.157. How would I trace it beyond the proxy? Please help. Really irratating me. interactive 12-01-2002, 07:13 PM BTW I've tried blocking his/her ip with IPTables. But he still is dosing bambenek 12-01-2002, 07:34 PM Figure out who owns the IP and have them shut down. interactive 12-01-2002, 07:50 PM Ok at this point. I'm able to block ips (before I was forgetting to rstart httpd). But they change IPS like constantly. I've already blcoked about 50 any ideas? IGobyTerry 12-01-2002, 08:16 PM Can you trace back to who owns the IP's? If you can, contact them and have them shut him down. svdorr 12-01-2002, 08:25 PM Interactive, Are these IP Addresses in the same range, or are they scattered all over. If in the same range, you can temporarily block the entire range. The one IP address you posted belongs to TCA internet, which if you go to tca.net, it goes to Cox communications web site, which is a cable internet company. interactive 12-01-2002, 08:33 PM Originally posted by svdorr Interactive, Are these IP Addresses in the same range, or are they scattered all over. If in the same range, you can temporarily block the entire range. The one IP address you posted belongs to TCA internet, which if you go to tca.net, it goes to Cox communications web site, which is a cable internet company. They are scattered. Anywhere from 12 to 66. We got it sort of under control not so many now. But there's still some going on. They we're attacking port 80 at first. So I turned off apache. Then they start attacking weird ports like 6478 and 1093 and crap. bambenek 12-01-2002, 11:15 PM Block everything but allowed traffic. jic 12-01-2002, 11:18 PM Yeah thats a fun DoS attack. They are probably using scanned NT machines or hacked Windows machines. I would close down all the ports except the accepted ones. See if you can figure out what size the packets are? Are they all the same, if so you can filter that. interactive 12-01-2002, 11:26 PM They attack totally different ports every time. I'm not sure what the packet size is, but I'll look into that. It irratates me so bad. It hasn't been this bad before. Most of the time I shut the server off for say 20-30 minutes then turn it back on and they have given up. I did that and they just kept coming back. I wish I could like find them and strangle them. I'm pretty sure its more then one person. filburt1 12-01-2002, 11:45 PM Originally posted by interactive I'm pretty sure its more then one person. With a cumulative age of no less than 13, probably... interactive 12-01-2002, 11:51 PM Originally posted by filburt1 With a cumulative age of no less than 13, probably... And a IQ less then 20. I shoudl create a 3D film called "attack of the script kiddies!". anon-e-mouse 12-02-2002, 02:13 AM Abuse addresses for that IP are abuse@cox-internet.com, postmaster@tyler.net bambenek 12-02-2002, 02:35 AM www.dshield.org would be a good place to report logs to as well... Darth 12-02-2002, 05:09 AM Hire detective bob :laugh: James[UH] 12-02-2002, 12:43 PM Find out what kind of traffic it is coming in, and get your ISP to block it at one of there border routers. Let them absorb the DoS. |