Results 1 to 13 of 13
  1. #1
    Join Date
    Nov 2005
    Posts
    305

    Receving 200.000 pps attack for 8 days and at&t ignore abuse reports

    Hello,

    What to do when the source of an attack ignore abuse reports?

    We have been attacked from 63.240.125.214 since 08/Dect/2013 and have contacted abuse@att.net 3 or 4 times since them. They just replied fo the first report requesting timestamps, which we provided and never answered anymore (not even to new reports we sent).

    What do to?

    The attack is consuming bandwidth/pps (average 200k pps/second).


    I believe that this kind of behavior would just be seen from CHINA isps.

  2. #2
    Join Date
    Jun 2013
    Location
    Los Angeles
    Posts
    327
    Add a firewall rule/ACL at the highest level you can and then continue to ping AT&T daily until they respond to you. Give them a phone call if necessary. Unfortunately there's not a whole lot else you can do, apart from escalating it to your local provider and asking them to contact AT&T abuse on your behalf/ACLing it up the chain.
    QuadraNet.com™ - Enterprise Dedicated Servers, Cloud Hosting, and Colocation
    j.goldman@quadranet.com

  3. #3
    Join Date
    Oct 2005
    Location
    London, UK
    Posts
    140
    they would generally receive a *LOT* of emails to their abuse department. If you only included a short message like your one above I can see why it could be ignored as there is not enough information there.

    What type of attack is it for a start? If its a flood of some sort have you considered that the source is, in fact, spoofed?
    Goscomb Technologies Limited - www.goscomb.net / AS39326
    E: sales@goscomb.net P: +44 (0) 203 129 4400 F: +44 (0) 203 129 4410
    IP Transit :: Colocation :: Dedicated Servers :: Leased Lines :: DSL
    Registered in England and Wales No. 05672987 - VAT Registration No. 853 7954 80

  4. #4
    Join Date
    Nov 2005
    Posts
    305
    Quote Originally Posted by goscombtech View Post
    they would generally receive a *LOT* of emails to their abuse department. If you only included a short message like your one above I can see why it could be ignored as there is not enough information there.

    What type of attack is it for a start? If its a flood of some sort have you considered that the source is, in fact, spoofed?

    My message included the start timestamp, the attack start time (no end time, still going on) and tcpdump showing the UDP flood attack. There is not much more that can be said. I believe the Tcpdump output speaks for itself

  5. #5
    Join Date
    Nov 2005
    Posts
    305
    I've even heard from some people to look for a botnet to attack the source of the attack to try to have it null routed .. that is be so absurd that makes it funny

  6. #6
    Join Date
    Oct 2005
    Location
    London, UK
    Posts
    140
    if its a UDP flood its most likely either spoofed, or DNS reflection.

    Not all abuse departments will reply. It doesn't mean that they haven't dealt with the issue. If that traffic is spoofed there is nothing they can do in any case.
    Goscomb Technologies Limited - www.goscomb.net / AS39326
    E: sales@goscomb.net P: +44 (0) 203 129 4400 F: +44 (0) 203 129 4410
    IP Transit :: Colocation :: Dedicated Servers :: Leased Lines :: DSL
    Registered in England and Wales No. 05672987 - VAT Registration No. 853 7954 80

  7. #7
    Join Date
    Nov 2005
    Posts
    305
    Quote Originally Posted by goscombtech View Post
    if its a UDP flood its most likely either spoofed, or DNS reflection.

    Not all abuse departments will reply. It doesn't mean that they haven't dealt with the issue. If that traffic is spoofed there is nothing they can do in any case.

    There is something really easy do do, ratelimit the IP so it won't impact other hosts on the internet until it is fixed.

    Not a DNS reflection attack, it is most likely that perl udp flood script which is usually found at compromised hosts.

    I don't believe that it is spoofed. Spoofed attacks usually keep changing the source.

  8. #8
    Join Date
    May 2009
    Location
    Vaduz/LI
    Posts
    2,778
    >There is something really easy do do, ratelimit the IP so it won't impact other hosts on the internet until it is fixed.

    Great way to breach terms, contracts and in some countries even laws.

  9. #9
    Join Date
    Nov 2005
    Posts
    305
    Quote Originally Posted by TheLie View Post
    >There is something really easy do do, ratelimit the IP so it won't impact other hosts on the internet until it is fixed.

    Great way to breach terms, contracts and in some countries even laws.

    I mean, rate limit output do the victim's address.

    Talking about law, how is an ISP that doesn't care about being the source of attacks seen?

  10. #10
    Join Date
    May 2009
    Location
    Vaduz/LI
    Posts
    2,778
    Protected from liability, at least in most of Europe based on claiming to be not able to verify it.

    US as far as i know not much different.

  11. #11
    Join Date
    Nov 2005
    Posts
    305
    Quote Originally Posted by TheLie View Post
    Protected from liability, at least in most of Europe based on claiming to be not able to verify it.

    US as far as i know not much different.
    That wouldn't be fair

  12. #12
    Join Date
    Jan 2010
    Posts
    308
    Quote Originally Posted by brc_csf View Post
    There is something really easy do do, ratelimit the IP so it won't impact other hosts on the internet until it is fixed.

    Not a DNS reflection attack, it is most likely that perl udp flood script which is usually found at compromised hosts.

    I don't believe that it is spoofed. Spoofed attacks usually keep changing the source.
    That's not true. There's no rhyme or reason as to which flood attacks are spoofing the source IP or not. We get about 4-7 simple attacks per day, and they're almost all spoofed. Single IP coming in on multiple, different providers? Spoofed.

  13. #13
    Join Date
    Nov 2005
    Posts
    305
    Coincidence ? 8 days of attacks and nothing, thread opened and in less than 24 hours attack stopped.

    At least, this issue was solved.

    Thanks for everyone who participated.

Similar Threads

  1. Replies: 0
    Last Post: 07-17-2013, 05:54 AM
  2. 200,000 PPS ! Need help {DDoS}
    By boxer in forum Hosting Security and Technology
    Replies: 3
    Last Post: 04-18-2010, 12:42 AM
  3. Hivelocity.net / Noc4hosts.com - Ignore Abuse Reports
    By tomaszb3 in forum Dedicated Server
    Replies: 10
    Last Post: 11-15-2007, 01:37 AM
  4. 30.000 pps is attack?
    By D3m0n in forum Dedicated Server
    Replies: 0
    Last Post: 08-10-2007, 07:38 AM
  5. handling abuse issues/bogus abuse reports.(long post)
    By jon-f in forum Running a Web Hosting Business
    Replies: 3
    Last Post: 07-06-2007, 12:35 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •