On Fri, 4 May 2001, Talley, Brooks wrote: > I'm in a bit of a bind here. My network is currently experincing 27mbps > of incoming ICMP echo-requests, all coming from -- suprise -- China. > It's been going on since 5am PDT (13 hours, so far). > > The funny part is that they are trying to flood the whitehouse.gov web > site, but they are accidentally targeting whitehouse.org, my somewhat > weak parody site. If there's anything worse than an attempted DoS > attack, it's an attempted DoS attack based on mistaken identity. > > I can drop the packets at the router when they enter my network, and > that's what I'm doing. Does anyone have advice for actually making it > stop, though? I'm expecting that I wouldn't have great luck contacting > the netblock admins. > > The pings are coming from all over the 211.72/16 netblock. All over it. > > Thanks > Brooks Talley > FRNK Technology Group > When this happens there are a few simple things that you can do to try to help the situation. Firstly try to take something like a tcpdump wich can identify the source of the attack and the destination. And probably take a traceroute to the source of the attack too, this shows at which point it is entering your, and your upstream providers network. With these two pieces of information you are able to then contact the connectivity provider who gives the source of the attack the connectivity. They will normally disconnect or filter the source addresses. Secondly I would try contacting your own upstream provider who can block the attack at their borders, as their equipment is more likely to have the bandwidth to cope with the attack. If you are lucky your upstream provider might lean on the attackers provider to take action too. The best way to find who the upstream provider of the attacker is, is to lookup the range that the attack is coming from in Ripe, Arin, etc. Hope it helps Lee -- Lee Brotherston - <leeat_private> http://www.nerds.org.uk
This archive was generated by hypermail 2b30 : Sat May 05 2001 - 18:42:32 PDT