OVH Community, your new community space.

Dealing with DoS attacks


Myatu
07-10-2009, 01:58
I would just send the excerpts, yes (they probably get hundreds of e-mails each day). And make sure you let them know it's an excerpt and that the full logs are available upon request.
Razakel
07-10-2009, 00:07
The log file is 29MB. Should I just send excerpts?
Myatu
06-10-2009, 23:24
Quick and easy way:

Code:
iptables -A INPUT -i eth0 -s 71.57.55.14 -j DROP
Don't do a "REJECT" because that means you'll be sending data back to him (and in turn, this would increase your bandwidth consumption unnecessary). 500 concurrent connections isn't much, but still...

Next, you contact abuse@comcast.net along with the server logs...

Code:
root@ashanti:~# whois 71.57.55.14
Comcast Cable Communications Holdings, Inc CCCH-3-34 (NET-71-56-0-0-1)
                                  71.56.0.0 - 71.63.255.255
Comcast Cable Communications Holdings, Inc ILLINOIS-18 (NET-71-57-0-0-1)
                                  71.57.0.0 - 71.57.127.255

# ARIN WHOIS database, last updated 2009-10-05 20:00
# Enter ? for additional hints on searching ARIN's WHOIS database.
root@ashanti:~# whois NET-71-57-0-0-1

CustName:   Comcast Cable Communications Holdings, Inc
Address:    1800 Bishops Gate Blvd
City:       Mt Laurel
StateProv:  NJ
PostalCode: 08054
Country:    US
RegDate:    2006-04-20
Updated:    2006-04-20

NetRange:   71.57.0.0 - 71.57.127.255
CIDR:       71.57.0.0/17
NetName:    ILLINOIS-18
NetHandle:  NET-71-57-0-0-1
Parent:     NET-71-56-0-0-1
NetType:    Reassigned
Comment:
RegDate:    2006-04-20
Updated:    2006-04-20

OrgAbuseHandle: NAPO-ARIN
OrgAbuseName:   Network Abuse and Policy Observance
OrgAbusePhone:  +1-856-317-7272
OrgAbuseEmail:  abuse@comcast.net

OrgTechHandle: IC161-ARIN
OrgTechName:   Comcast Cable Communications Inc
OrgTechPhone:  +1-856-317-7200
OrgTechEmail:  CNIPEO-Ip-registration@cable.comcast.com

# ARIN WHOIS database, last updated 2009-10-05 20:00
# Enter ? for additional hints on searching ARIN's WHOIS database.
Razakel
06-10-2009, 22:45
What exactly is the best thing to do?

I banned a user from my website, so, reasonably, he responds by trying to DoS it. He managed about 500 concurrent connections.

From Apache log:
71.57.55.14 - - [06/Oct/2009:23:41:55 +0200] "Hi gaizHi gaizHi gaizHi gaizHi gaizHi gaizHi gaizHi gaizHi gaizHi gaizHi gaizHi" 414 250 "-" "-"
I've added a drop rule for that IP to iptables, what else should I be doing?