Try contacting your ISP and explaining the situation. Most ISPs have
experience by this time in dealing with DDoS at their perimeter. You can
also use them to find out who is up-stream from them and then contact those
ISPs as well.
About the only thing you can do for a DDoS is to work with your ISP to
control things on his net. They should be more than happy to work with you
as this affects their performance and resources including their SLAs.
I'm not sure what abuse@isp.com is going to do for you. 10 will get you 20
someone is using a botnet against you.
Now the question is: Who did you piss off?
-B-
-----Original Message-----
From: Nigel Kukard [mailto:nkukard@lbsd.net]
Sent: Tuesday, January 04, 2005 2:41 PM
To: incidents@securityfocus.com
Subject: DoS attack... what to do?
Hi Guys,
Here is the situation...
I have a dedicated server at ISP X, about 1 week after I signed up for
the service I received a DoS attack against my DNS service... the attack
came from over 10,000 IP addresses and tried to resolve the following
domain names...
leet.nexhost.org
ns1.nexhost.org
ns2.nexhost.org
floop.m33pm33p.info
irc.k1hosting.net
b0tn3t.elite-coders.org
I thought i would be clever and changed root.cache on my named service
to resolve all dns queries to 127.0.0.1, this seems to of worked for
about 1hr. Next I get even more attacks on port 5556 which I don't even
use and basically by default drop everything to that port.
I have sent off abuse reports for over 10,000 IP's, grouping them by ISP
and sending 1 email per ISP.....
What to do? I've got a constant 200Kbps of traffic, and its kinda
bugging me...
Any help would greatly be appreciated. (btw, netsky.V uses port 5556)
Regards
Nigel Kukard
