DDOS Attacks. What you can do to help stop them!

[Deafboy]

[thepj]

Jesus, people apparently do not know how to read on this forum. The point of Khaos and serraz's script is to notify the netblock owner, and their associated Abuse/NOC team of malicious and abusive traffic.

Most respectable, and legitimate data centers(actual data centers, not some kid that is renting dedis pretending to BE a datacenter) have dedicated Abuse teams(I created one and ran it for quite some time) to handle these kind of complaints. As long as the script is directing the abuse complaints to the IP block owners abuse (Must have one registered with RIPE, ARIN, APNIC, etc..) contact, these zombie nodes will decrease. That doesn't meant that htey can't get more, that just means they are getting reported, and hopefully action taken.

Learn to read and not pretend like you know everything yacoin.

[Balthazar]

I often use report emails autogeneration. Sometimes this even could destroy the botnet, but usually makes it weaker.

[serraz]

I often use report emails autogeneration. Sometimes this even could destroy the botnet, but usually makes it weaker.

100% what i was saying thanks balth

[Lethos]

Definitely is good plan forward, if enough people use scripts such as yours it, it would reduce the over all number of compromised networks in the long run, which these DDOS attackers make use of. Not necessarily a cure, but certainly make them weak enough to be easier to deal with.

I don't run a pool, but I do run a few servers, so I'll probably rewrite this to make it work along side one of my other scripts which usually just blocks these IP address' in the 1st layer firewall.

[serraz]

Definitely is good plan forward, if enough people use scripts such as yours it, it would reduce the over all number of compromised networks in the long run, which these DDOS attackers make use of. Not necessarily a cure, but certainly make them weak enough to be easier to deal with.

I don't run a pool, but I do run a few servers, so I'll probably rewrite this to make it work along side one of my other scripts which usually just blocks these IP address' in the 1st layer firewall.

Great please post your script here also to share with everyone

[altsay]

As long as the attackers' bandwidth exceeds the server's it would most probably down.

[add1ct3dd]

As long as the attackers' bandwidth exceeds the server's it would most probably down.

You clearly don't know much about DDoS' in general to make that such misinformed suggestion.

[Lethos]

Definitely is good plan forward, if enough people use scripts such as yours it, it would reduce the over all number of compromised networks in the long run, which these DDOS attackers make use of. Not necessarily a cure, but certainly make them weak enough to be easier to deal with.

I don't run a pool, but I do run a few servers, so I'll probably rewrite this to make it work along side one of my other scripts which usually just blocks these IP address' in the 1st layer firewall.

Great please post your script here also to share with everyone

I will do, I plan to rewrite one of my pfsense packages. It might take a little while, but I can't rush it, it is a live production server.

[XRcode]

You do realize 99% of ddos attacks are spoofed right, and the ones that aren't are usually reflection attacks.. ie, DNS amplification attacks.
Sending emails like that is just spamming a ton of innocent people most of the time.

[kha0S]

Spamming innocent people?
We reported a problem to the network/system admin of the affected server?
From all emails sent, the common thing I see among all answers is: "Thank you for informing us about the problem".

And in the end, at least we try to do something. I would like to see your suggestions then...

You do realize 99% of ddos attacks are spoofed right, and the ones that aren't are usually reflection attacks.. ie, DNS amplification attacks.
Sending emails like that is just spamming a ton of innocent people most of the time.

[Lowlander]

 

[XRcode]

Spamming innocent people?
We reported a problem to the network/system admin of the affected server?
From all emails sent, the common thing I see among all answers is: "Thank you for informing us about the problem".

And in the end, at least we try to do something. I would like to see your suggestions then...

You do realize 99% of ddos attacks are spoofed right, and the ones that aren't are usually reflection attacks.. ie, DNS amplification attacks.
Sending emails like that is just spamming a ton of innocent people most of the time.

And how many emails go to admins of public DNS servers that they can't or won't reconfigure to not be open recursive??.
I get a shitload of emails everyday complaining about "my ip's attacking" when in reality, I deal with multigigabit DNS amplifaction attacks at my end.
I don't think emailing the world helps, DDOS needs to be mitigated, not complained about.

[Vladimir]

Deafboy, do you honestly think that only mining pools get DDoS attacks?

XRcode, spamming? When I was taking care of information security of an ISP I very much appreciated reports from third parties about any possible problems on my networks, whether it was manual or automatically generated. It, of course, was like a decade ago, but I do not think that much has changed since then. I'd say most modern day sysadmins will appreciate such reports and in fact the emails used for this according to relevant RFCs are specifically intended for such purposes.

[XRcode]

I consider it SPAM, and I offer ddos protection services.
The reason for this... If you log a ddos attack, you get 99% false positives.
The emails won't do any significant damage to the threat, and are just an annoyance for most people.
As as a person who offers DDOS protection services and deals with a ton of these false positives every day, I know a thing or two about this.

[CryptoMer]

I consider it SPAM, and I offer ddos protection services.
...
As as a person who offers DDOS protection services and deals with a ton of these false positives every day, I know a thing or two about this.

As a person who offers DDOS protection services, you have a vested interest in not seeing actions like this having much effect. It's called a Conflict of Interest.

People need to understand the value of receiving third party email regarding problems on their network. I've been an admin for years, and some of the most effective tools for identifying servers that have been, to some degree, compromised are third-party notifications.

/Salute to KhaOS and Serraz for trying to do something positive, and then spreading it to the community.

[ekylypse]

Are there addresses that we could donate to, per chance? Maybe put it in the OP?

[XRcode]

I consider it SPAM, and I offer ddos protection services.
...
As as a person who offers DDOS protection services and deals with a ton of these false positives every day, I know a thing or two about this.

As a person who offers DDOS protection services, you have a vested interest in not seeing actions like this having much effect. It's called a Conflict of Interest.

People need to understand the value of receiving third party email regarding problems on their network. I've been an admin for years, and some of the most effective tools for identifying servers that have been, to some degree, compromised are third-party notifications.

/Salute to KhaOS and Serraz for trying to do something positive, and then spreading it to the community.

You are missing the point, you are sending emails to a source that has either sent nothing at all or is an open recursive DNS server MOST of the time.

[kha0S]

Was that your educated guess? Sorry to tell you, but you are wrong!
From all emails sent only in 2 cases they really needed to have it open. But even som they were conscious about the problem and they even tightened the number of queries per minute they allow.
All the remaining cases, simply didn't know about the problem and where looking for malware/virus on their servers.

US-CERT as some nice info about this and how to fix it:
http://www.us-cert.gov/ncas/alerts/TA13-088A

Cheers,
khaos
 

I consider it SPAM, and I offer ddos protection services.
...
As as a person who offers DDOS protection services and deals with a ton of these false positives every day, I know a thing or two about this.

As a person who offers DDOS protection services, you have a vested interest in not seeing actions like this having much effect. It's called a Conflict of Interest.

People need to understand the value of receiving third party email regarding problems on their network. I've been an admin for years, and some of the most effective tools for identifying servers that have been, to some degree, compromised are third-party notifications.

/Salute to KhaOS and Serraz for trying to do something positive, and then spreading it to the community.

You are missing the point, you are sending emails to a source that has either sent nothing at all or is an open recursive DNS server MOST of the time.

[kha0S]

I had to post this! 
Just received this email from NOC4 Abuse Support:


"Hi!
  You should not see any more of this traffic form our net now!, both the offending resolvers have had acl's placed on them now! ... and we have ~30mbit drop in our outbound traffic! "


I have dozens of emails like this...
And people still think this is annoying?!?!?!? Annoying is staying awake 20 or 30 hours trying to deflect an attack just because a stupid kid with a botnet decides your site/network is the next target. Annoying is paying 500USD/month to some company that will try to "protect" your network. But only if the attack is bellow 1Gbps.

Cheers!
A nice weekend to everyone!
../khaos