Hi guys,

Hoping for a bit of advice here :)

Basically, I've got some prat, who thinks its clever to DDOS our server (cost over £2,000 for the last attack).

We've moved server's now (to GT <G>), but I really wanna stop this guy in his tracks.

He's using the following IP address 155.245.35.208, which doesn't seem to resolve to anyone.

Does anyone have a clue as-to how I can look up this IP address, to find out his ISP? I just wanna give them a call... and also see if they can pass on more details, which in turn, we can pass back to the police... and hopefully get them to sort it out from there.

The forum he has been hacking is not illegal, or even adult content based (its just a community for students). I just think its payback time for him now... so I'm just looking for options =)

TIA

Andy (mod)
andy@ultranerds.co.uk

---

Want to give me something back for my help? Please see my Amazon Wish List
GLinks ULTRA Package | GLinks ULTRA Package PRO
Links SQL Plugins | Website Design and SEO | UltraNerds | ULTRAGLobals Plugin | Pre-Made Template Sets | FREE GLinks Plugins!

Andy,
http://www.ripe.net/...amp;do_search=Search shows it register to the University of Essex... Could be anyone...

</not a clue>

Yeah, I managed to work that out earlier. I sent an email to their technical contact, and am awaiting a reply. Lets hope they want to take some action .. or it may be something for the police

Oh, and we have a picture of him (stupid idiot uploaded it on our forum, as his avatar <G>) .... so hopefully with a bit of co-operation with Essex Uni, we shoud have this sorted pretty soon :)

Cheers

Andy (mod)
andy@ultranerds.co.uk

---

Want to give me something back for my help? Please see my Amazon Wish List
GLinks ULTRA Package | GLinks ULTRA Package PRO
Links SQL Plugins | Website Design and SEO | UltraNerds | ULTRAGLobals Plugin | Pre-Made Template Sets | FREE GLinks Plugins!

Check out Gibson Research - this guy had a similar problem and has a really good story about it on his website. His name is Steve Gibson and he does the Zone Alarm stuff if I'm not mistaken.

Andy,

Sorry to hear about that - hopefully you can bust the hacker, and recover some or all of your costs (although you may have to litigate). How does the £2,000 break down? Cannot just be bandwidth costs. On my server, £2,000 would equate to over 2,600 Gb bandwidth.

----
Cheers,

Dan
Founder and CEO

LionsGate Creative
GoodPassRobot
Magelln

I would think it is unlikely to be a DDOS attack and more likely a DOS attack.

DDOS is when multiple systems attack a single target.

What did your logs show?

Like Dan, I too would be interested to know the reason for the cost. A DOS tends to just suck up bandwidth.

Hi,

It was a DDOS attack :( Sucked up a LOT of bandwidth (and our old host wasn't so forgiving, and charged full rate for every GB!).

Still trying to filter this prat out now :(

Cheers

Andy (mod)
andy@ultranerds.co.uk

---

Want to give me something back for my help? Please see my Amazon Wish List
GLinks ULTRA Package | GLinks ULTRA Package PRO
Links SQL Plugins | Website Design and SEO | UltraNerds | ULTRAGLobals Plugin | Pre-Made Template Sets | FREE GLinks Plugins!

If it was a DDOS attack, how can you pinpoint it to one specific ip?

That was his signup IP address :) (vBulliten logs this, for security reasons).

I've now added some more things into the vB script itself, so that it logs ALL visitors, and blocks anyone accessing too many pages in a small space of time.

Its a PITA ... but I'd rather show them a 1 liner, than let them waste all our bandwidth on images etc :|

Cheers

Andy (mod)
andy@ultranerds.co.uk

---

Want to give me something back for my help? Please see my Amazon Wish List
GLinks ULTRA Package | GLinks ULTRA Package PRO
Links SQL Plugins | Website Design and SEO | UltraNerds | ULTRAGLobals Plugin | Pre-Made Template Sets | FREE GLinks Plugins!

What I mean though is that how can you associate that IP address with the attack?.....DDOS attacks use many IP addresses, so how can you link them to him?

Simple... you write a script to go through the logs, and find the more productive IP addresses (i.e people who request a page more than 50 times every 10 minutes). Then, its a case of manually going through this list of IP's, doing a check on them... and then seeing which ones look most likely to be the culprit (I've already got several IP's, which requested over 100 pages in 5 mins .... mmm, I wonder <G>).

Cheers

Andy (mod)
andy@ultranerds.co.uk

---

Want to give me something back for my help? Please see my Amazon Wish List
GLinks ULTRA Package | GLinks ULTRA Package PRO
Links SQL Plugins | Website Design and SEO | UltraNerds | ULTRAGLobals Plugin | Pre-Made Template Sets | FREE GLinks Plugins!

That's a page every 12 seconds - probably don't want to do that otherwise you'll be suing all your visitors =)


I'm still not sure I follow. I don't see how you are browsing through a list of IP's and linking them to one specific IP at a university?

True.. on a normal site ;) But only to the same page? ;) My tracking will work out if they are accessing the same page within a set amount of time (i.e 50 hits to the front page, within 15 minutes). Also, this site is a forum .... thus the average page viewing time is around 30seconds, up to 10-15 mins; varying in size


I'm not linking it to one IP address. The one I gave in the above post, was his signup IP address. We've used this to track down to a specific area, and now we are just pinpointing his machine (with tracking methods), as well as blocking people coming through anon servers (hell, why should be even keep a free site open, if people are attacking it, and costing us money?). I can't really give any more details out though, just in case he visits this forum too =)

Cheers

Andy (mod)
andy@ultranerds.co.uk

---

Want to give me something back for my help? Please see my Amazon Wish List
GLinks ULTRA Package | GLinks ULTRA Package PRO
Links SQL Plugins | Website Design and SEO | UltraNerds | ULTRAGLobals Plugin | Pre-Made Template Sets | FREE GLinks Plugins!

I think what's confusing the issue for me is the DDOS vs DOS issue.

If it is the same guy just using different IP's then it is still just a DOS attack. DDOS is concurrent attacks - the best example I can give is the Blaster worm targetting the Windows update website. That is thousands of computers all attacking a website at once to bring it down.

True ... maybe it is a DOS attack then (i just knew it as Denial Of Service, just guess the DD at the beginning stood for something else =)).

Either way, he is doing a Denial Of Service attack on our server

Cheers

Andy (mod)
andy@ultranerds.co.uk

---

Want to give me something back for my help? Please see my Amazon Wish List
GLinks ULTRA Package | GLinks ULTRA Package PRO
Links SQL Plugins | Website Design and SEO | UltraNerds | ULTRAGLobals Plugin | Pre-Made Template Sets | FREE GLinks Plugins!

DOS => Denial of Service

DDOS => Distributed Denial of Service

Ah... cheers. That'll stick in my head for years now <G>

Cheers

Andy (mod)
andy@ultranerds.co.uk

---

Want to give me something back for my help? Please see my Amazon Wish List
GLinks ULTRA Package | GLinks ULTRA Package PRO
Links SQL Plugins | Website Design and SEO | UltraNerds | ULTRAGLobals Plugin | Pre-Made Template Sets | FREE GLinks Plugins!

Hi.

Have you explored mod_dosevasive
Perhaps it could be helpful on curtailing http dos attacks and prevent that massive bandwidth hog.

[EDIT]
Here is the url to mod_dosevasive:
http://www.nuclearelephant.com/projects/dosevasive/

Could also add to iptables:

DOSSystemCommand "iptables -I INPUT -s %s -j DROP"

or something of this sort. I have never really tried adding to apf but if you do and suceed do post your experiences.
[/EDIT]

HyTC

Thanks
HyTC
==================================
Mail Me If Contacting Privately Is That Necessary.
==================================

Hi,

Does anyone know of an online resource, which has a list of IP ranges for known anon-proxy servers in the world? Or am I just dreaming? =)

TIA

Andy (mod)
andy@ultranerds.co.uk

---

Want to give me something back for my help? Please see my Amazon Wish List
GLinks ULTRA Package | GLinks ULTRA Package PRO
Links SQL Plugins | Website Design and SEO | UltraNerds | ULTRAGLobals Plugin | Pre-Made Template Sets | FREE GLinks Plugins!

Hi,

You need to subscribe for the full list, but here's one:

http://openproxies.com/

Cheers,

Alex
--
Gossamer Threads Inc.

Thanks. Signing up now :)

Cheers

Andy (mod)
andy@ultranerds.co.uk

---

Want to give me something back for my help? Please see my Amazon Wish List
GLinks ULTRA Package | GLinks ULTRA Package PRO
Links SQL Plugins | Website Design and SEO | UltraNerds | ULTRAGLobals Plugin | Pre-Made Template Sets | FREE GLinks Plugins!