Results 1 to 17 of 17

Thread: Dos & Dos & Dos

  1. #1

    * Dos & Dos & Dos

    Dear All,

    Writing here for the first time, hoping kind people here will be able to help me because my data center has failed. Let me explain what is happening to me.

    1. DOS ATTACKS : Yes, I am under DOS attack ( I mean my server ). I setup my first ded. server last month and soon after I was DOS attacked. Well, I managed to handle that attack (details later) but I was charged $90 for extra bandwidth and 3 account cancellations. Then 3 weeks lapsed and I was again DOS attacked yesterday. I contact my "dead." center which is Dialtone in this case but like before I am told again that I am at my own. I am told that dialtone can do nothing against DOS attack and I should buy some hardware firewall if I really want to block such attacks.

    I want to know:

    a. Is my data center free of any responsibility. Are they not supposed to help customers in blocking or at least tracking the attacker? I am refused of ANY help.
    b. Is there any authority to whom I should report DOS attack. Is there a way to find the attacker(s).
    I will very much appreciate your opinions.

    2. BANDWIDTH : My total bandwidth is 65GB and I have only 165 sites. One of the sites is eating the bandwidth and I am unable to catch that site. I wrote a script which calculates the size of the log files of each website and the site having maximum log size is supposed to be 'heavy traffic' site. I stopped the these sites but no effect. MRTG shows the same graph. I am also using windows performance monitor and hooked my NIC card and it also displays the same activity.

    Is there any way to catch this site? Any hint, clue, tool etc please?. Please help

    Finally, I would like to tell how I blocked DOS attack. May be this would help other helpless chaps.

    1. Traced the target IP of my NIC. The target IP was my shared IP.
    2. Wrote a script which changed the IPs of all the websites to (All Unassigned).
    3. Downloaded system32\dns folder and globally replaced the targeted IP with a new IP. Uploaded this new folder and restarted DNS.

    This procedure effectively stopped the DOS attack. I have the script used step 2 if anyone needs. Also, I can write every type of IIS utilities, if someone needs my expertise.


    I would like to thank everyone in advance for valuable opinions.

    Sincerely,
    A miserable young host.

  2. #2
    Join Date
    Nov 2001
    Posts
    852
    You shouldnt have to pay for a DOS attack inbound because that is not your fault and even if you could filter on the server, through iptables or whatever you use, the data would still have to go through their network to get to your system.

  3. #3
    Join Date
    Sep 2002
    Location
    Mansfield
    Posts
    314
    You are ultimately responsible, but I think the provider should have some way of notifying the upstream.

    I run a colo and we get DOS'ed now and again, and once the NOC is notified we can start blocking at the router or further upstream if need be.

    Suggest you find out all this before the next colo.
    Would you mind sharing the name of the colo, BTW?
    GUI admin tools have no honor. It is a good day to vi.

  4. #4
    Originally posted by PHBPendragon
    You are ultimately responsible, but I think the provider should have some way of notifying the upstream.

    I run a colo and we get DOS'ed now and again, and once the NOC is notified we can start blocking at the router or further upstream if need be.

    Suggest you find out all this before the next colo.
    Would you mind sharing the name of the colo, BTW?
    He said it was Dialtone, twice.


    And if your DC isn't going to help you at all, then you should have to pay for traffic that isn't your fault.

  5. #5
    Join Date
    Sep 2002
    Location
    Mansfield
    Posts
    314
    Originally posted by The Neoracle


    And if your DC isn't going to help you at all, then you should have to pay for traffic that isn't your fault.
    Sorry, missed the DC reference.

    As far as traffic that isn't you're fault, how do you define that?
    If my advertising works and I eat up 100GB and make lots of money, then thats OK.
    If I get DOS'ed it's not?

    From a providers viewpoint, bandwidth is bandwidth, content doesn't matter.

    But it really sucks they won't help.
    GUI admin tools have no honor. It is a good day to vi.

  6. #6
    Join Date
    Sep 2002
    Location
    Dallas, TX
    Posts
    205
    I have been thinking about this a bit lately. I mean, the turnover rate for IPs in this industry is extremely high. I think people like to ignore responsibility for DOS attacks because there is little that can be done to prevent them.

    For example, albeit a minor one. I recently rented a new dedicated box and my provider was hit with an attack a couple of days later. While I wasn't the primary target of the attack, I was still getting hit a bit and an otherwise inactive box (had not yet been configured) used up almost 10GB in under 6 hours.

    Should I be responsible for that? Maybe the last owner of that IP gave it up specifically because it was a target for DOS attacks. Maybe the provider tells me this, maybe they don't. Maybe they aren't even aware of it. The point is that I did nothing to provoke it. I was simply handed an IP in what I assumed was good faith.

    My point is that I think maybe the history of any given IP should be taken into account when determining who is responsible.

    Oh well...
    justin 'at' abrogo.com
    http://www.abrogo.com
    Shared Unix Hosting

  7. #7
    Join Date
    Sep 2002
    Location
    Dallas, TX
    Posts
    205
    As to this particluar case. I think it is the providers absolute responsibility to handle DOS attacks. There is nothing dedicated box owners can do. As was said before, the traffic is already yours by the time you get a chance to block it.

    A providers job is to ensure network connectivity and hardware operation (if a dedicated box). Doesn't turning a blind eye to a DOS attack break this contract? Your network connection is no longer good.

    If they think you are trouble and want the DOS attacks to stop, they should simply cancel the account and ask him to go elsewhere. If they want to keep him as a client, then they should hold up their end of the bargain.
    justin 'at' abrogo.com
    http://www.abrogo.com
    Shared Unix Hosting

  8. #8
    Join Date
    Sep 2002
    Location
    Mansfield
    Posts
    314
    Originally posted by cortices


    My point is that I think maybe the history of any given IP should be taken into account when determining who is responsible.

    Oh well...
    I have to agree. I was just swipped a class C that was listed on an RBL I use so my mailservers couldn't talk.

    It was cleared up, but I'd rather renumber than fight RBL's.

    Anyway, I'm thinking about a web interface to submit IP's to be blocked. . . .
    GUI admin tools have no honor. It is a good day to vi.

  9. #9
    Join Date
    Sep 2002
    Posts
    900
    You should report the attack to www.nipc.gov although there needs to be a certain dollar amount of damage (which I do not know, check on their site). The NIPC is the computer crime division of the FBI.

  10. #10
    Join Date
    Jun 2001
    Location
    Denver, CO
    Posts
    3,301

    Re: Dos & Dos & Dos

    Originally posted by AlphaAdmin
    Dear All,

    2. BANDWIDTH : My total bandwidth is 65GB and I have only 165 sites. One of the sites is eating the bandwidth and I am unable to catch that site. I wrote a script which calculates the size of the log files of each website and the site having maximum log size is supposed to be 'heavy traffic' site. I stopped the these sites but no effect. MRTG shows the same graph. I am also using windows performance monitor and hooked my NIC card and it also displays the same activity.

    Is there any way to catch this site? Any hint, clue, tool etc please?. Please help

    Alpha, look into Log File Manager at http://www.logfilemanager.com. Also, 165 sites using 65GB of traffic is probably about normal - averages out to about 400MB of data transfer per site, per month.
    Jay Sudowski // Handy Networks LLC // Co-Founder & CTO
    AS30475 - Level(3), HE, Telia, XO and Cogent. Noction optimized network.
    Offering Dedicated Server and Colocation Hosting from our SSAE 16 SOC 2, Type 2 Certified Data Center.
    Current specials here. Check them out.

  11. #11
    Join Date
    May 2002
    Posts
    190

    Re: Dos & Dos & Dos

    Originally posted by AlphaAdmin

    2. BANDWIDTH : My total bandwidth is 65GB and I have only 165 sites. One of the sites is eating the bandwidth and I am unable to catch that site. I wrote a script which calculates the size of the log files of each website and the site having maximum log size is supposed to be 'heavy traffic' site. I stopped the these sites but no effect.
    The size of the log files is a bad way to determine whos using the most bw.. if 1 site popular and just has some text it would have a larger log file from the hits but the usage wouldnt be as high as a site with a smaller log file and big files being transfered.
    C Code. C code run. Run, code, run...
    Segmentation fault (core dumped).. aww sh!t

  12. #12
    Originally posted by PHBPendragon


    Sorry, missed the DC reference.

    As far as traffic that isn't you're fault, how do you define that?
    If my advertising works and I eat up 100GB and make lots of money, then thats OK.
    If I get DOS'ed it's not?

    From a providers viewpoint, bandwidth is bandwidth, content doesn't matter.

    But it really sucks they won't help.

    Sorry, Not his fault wasn't the right words to use. More like, nothing he can do about it. If you get DOS'd you can't do anything but contact your DC to contact their provider to see if there's some way to block it. And if the DC tells you your SOL, then they should get to pay for the bandwidth.

  13. #13

    *

    Thanks everyone for precious comments. I am so far attacked 4 times during last 3 month. Latest one was 2 days ago and took down the service for 6 hours (I Iwas sleeping, hehe). This time I managed to track the attacker IP and it appears that attack was from

    OrgName: Polytechnic University
    OrgID: POLYTE-1

    I host a client and he is student of this university, so apparently attack targets his website.

    Please guide me what should be my course of action now. I know the organization and what action we can take against the administration for this. Any help will be appreciated.

    Thank you.

  14. #14
    Join Date
    Nov 2001
    Location
    Ann Arbor, MI
    Posts
    2,978
    If you just want to stop it from happening again, find out what department at the university enforces their network usage policies, and then contact the department to let them know of the problem. Make sure you have some proof to offer them and offer to assist them with any investigation.

    You might consider charging your customer for the transfer, if their web site actually went over their limit and you don't offer unlimited transfer. Or maybe you can split the bill with them.

    If you want some legal justice, ask your local legal professional.

    That's my late night $0.02.
    -Mark Adams
    www.bitserve.com - Secure Michigan web hosting for your business.
    Only host still offering a full money back uptime guarantee and prorated refunds.
    Offering advanced server management and security incident response!

  15. #15
    Join Date
    Jan 2002
    Posts
    574
    DoS attacks are quite common these days.
    Any data center that is going to charge their users for a DoS is something to be wary about... I wouldn't pay to have my servers colocated in a data center that doesn't even attempt to stop DoS attacks, or attempt to stop them when they occur.

    Sounds like it's more profitable for them to allow the DoS to occur, because they will be sending you the bill.


    A lot of data centers (HE.net comes to mind) don't even charge for incoming bandwidth. Could you just imagine a DC sitting on their ass while being thrown a 500Mbit/s DoS? Maybe my logic is flawed, or perhaps your story is a bit off...

  16. #16
    Join Date
    Nov 2001
    Posts
    852
    dialtone would charge you per login to your server if they could find a way to do it

  17. #17
    Join Date
    Nov 2001
    Location
    Ann Arbor, MI
    Posts
    2,978
    I agree that you shouldn't be billed for incoming bandwidth. But if your machine is being DOSed, you are responsible for stopping either the attacker or the service to prevent the outgoing transfer from racking up. I would expect help from your data center if you asked for it, to identify and block things upstream. It's odd that they would refuse, but if they do, you'll just have to make the services unavailable if you can't identify and block it yourself.

    If the culprit was just using up enough bandwidth to cost you (or your web hosting customer) money, and not that actually raised the load so high to actually cause a DOS, then you shouldn't be responsible for noticing that. And your web hosting customer should be billed for the traffic to their site in accordance with your policies on that.

    IMHO, of course.
    -Mark Adams
    www.bitserve.com - Secure Michigan web hosting for your business.
    Only host still offering a full money back uptime guarantee and prorated refunds.
    Offering advanced server management and security incident response!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •