So, I think I'm being DDOS'ed...

Post #17,463 by jlalexander 11/9/01 9:16:48 AM Reply	So, I think I'm being DDOS'ed... As some of you know (and those of you that have noticed the other board here on zIWT), I host a MUD on this box called DarkWind. Malraux, Mike (Yendor) and I all run it, and we have a mix of age groups that actually play it. In the game's past incarnation, dinky little 12 year olds would get mad at the MUD, or the admin, and DDOS the box. The past administrator grew tired of this, and just simply made it go away. For the past few days now, every 10 mins or so, all connections to the box are severed. And, the box is unavailable for the next 5 minutes. Afterwards, you can log back on, and all is well. Everything's untouched, all looks well. I have a feeling this is the product of this box being targetted with a DDOS attack. We recently sitebanned a particular kid, and he was none too happy. Obviously, this is all speculative at this point, but that's why I come to you, oh great and powerful Security Gurus[tm]... What steps can I take to: 1.) Identify that I'm being DDOS'ed. 2.) Identify the attacker (with enough accuracy to notify their ISP) 3.) Deny the attacks? TIA, -Jason ---- My pid is Inigo Montoya. You "killed -9" my parent process. Prepare to vi.
Post #17,466 by boxley 11/9/01 9:49:50 AM Reply	stick a linuxbox on the network at that address use tcpdump -l to monitor the packets and see if it is one site or many that is smacking you. You might even see that you get no traffic during that interval wich would point to an upstream problem. If it is one site, you have an ip to chase. thanx, bill tshirt front "born to die before I get old" thshirt back "fscked another one didnja?"
Post #17,476 by jlalexander 11/9/01 10:35:48 AM Reply	Re: stick a linuxbox on the network at that address Great, thanks boxley! This box is actually a linux box, so I'll just crank up tcpdump. :) Thanks again, -Jason ---- My pid is Inigo Montoya. You "killed -9" my parent process. Prepare to vi.
Post #17,468 by pwhysall 11/9/01 10:02:22 AM Reply	I stand by my assertion That these problems are DNS-based. Given that there is someone with motive, I'd say that DNS poisoning is going on. Hmm. But that doesn't sit right with being unceremoniously hoofed off II, tho. So it's not DNS. Temporarily broken DNS would make re-connecting difficult, but wouldn't affect existing telnet sessions. I stand by my assertion of SOMETHING, and I'll let you know what I know what the something is :-) If there's a DOS attack in progress (and I'm not convinced there is - a horked up router configuration with routers bouncing crappy info to each other via RIP or OSPF could produce effects like this) then the attacker is likely generating spoofed packets along the way. But the periodicity of the outage smells of routers to me. Peter Shill For Hire [link\|http://www.kuro5hin.org\|There is no K5 Cabal]
Post #17,474 by jlalexander 11/9/01 10:31:55 AM Reply	Re: I stand by my assertion Yeah, all connections are literally severed. Yesterday, I was telnetted into the MUD, SSHed into box, and downloading a file via HTTP, and they all dropped at the same time. Hrm, routers eh? I'll put a call into the ISP and see if they can check it out. -Jason ---- My pid is Inigo Montoya. You "killed -9" my parent process. Prepare to vi.
Post #17,475 by jlalexander 11/9/01 10:35:23 AM Reply	Re: I stand by my assertion Ah, something to keep in mind: When the box is unreachable for the next few minutes, just after the connections are dropped, the box still responds to pings. Figure that one out. -Jason ---- My pid is Inigo Montoya. You "killed -9" my parent process. Prepare to vi.
Post #17,477 by jlalexander 11/9/01 10:39:46 AM Reply	Re: I stand by my assertion Hrm, DNS-based... Interesting because when it goes down, zIWT gives a "404 File Not Found" error. Doesn't quit responding, but it's as if the named-based virtual hosting just keeled over periodically. ---- My pid is Inigo Montoya. You "killed -9" my parent process. Prepare to vi.
Post #17,508 by tseliot 11/9/01 1:29:14 PM Reply	The D in DDOS stands for "Distributed" Just found it extremely funny that you replied three times with the same subject line. Thought I'd "distribute" your own personal DDOS attack. :D But if you can ping through the "downtime" window, I'd say DNS is definitely the route to pursue. --------------------------------- A stupid despot may constrain his slaves with iron chains; but a true politician binds them even more strongly by the chain of their own ideas;...despair and time eat away the bonds of iron and steel, but they are powerless against the habitual union of ideas, they can only tighten it still more; and on the soft fibres of the brain is founded the unshakable base of the soundest of Empires." Jacques Servan, 1767
Post #17,748 by static 11/11/01 7:03:51 AM Reply	The funny thing about it, but... ... is that the IP address doesn't change. Well. AFAIK. Wade. "All around me are nothing but fakes Come with me on the biggest fake of all!"

Welcome to IWETHEY!