You're Being DDOSed — What Do You Do? Name and Shame? 336
badger.foo writes "When you're hit with a DDOS, what do you do? In his most recent column, Peter Hansteen narrates a recent incident that involved a DNS based DDOS against his infrastructure and that of some old friends of his. He ends up asking: should we actively publish or 'name and shame' DDOS participants (or at least their IP addresses)? How about scans that may or may not be preparations for DDOSes to come?"
Why name and shame? (Score:3, Funny)
DDoS the DDoSers, that'll show em!
Re:Why name and shame? (Score:4, Insightful)
I think someone needs a hug and his meds.
Re: (Score:2)
Re: (Score:2)
not sure "shame" will have much effect (Score:5, Insightful)
The vast majority of DDoS participants are infected computers in botnets, and their owners are typically unaware. Will they even notice your naming sufficiently to be ashamed? Maybe if it's a corporation it'd have some effect: publishing that you were hit by a DDoS that included X computers from BigCorp might make BigCorp look bad. But not so much if the botnet is a bunch of random home PCs.
Re: (Score:3)
Do your governments legwork for them. Gather evidence and file a complaint with 'ALL' the appropriate regulatory authorities. Sure some will lead overseas to 'somewhat dead ends' but enough complaints with evidence would result in powerful diplomatic pressure to pursue criminal investigation and prosecution. Unless appropriate authorities get a proper measure of the activity they can not respond appropriately. Appropriately here means neither going bat shit insane with sting operations and massive stupid p
Re: (Score:2)
The anon attacks were an exception and as a result led to the arrests of some individuals that weren't at the head of the attack.
Re: (Score:2)
Of course repeat excuses would certainly wear a bit thin and likely leave you wearing a fine. Keep in mind the fine would no different to so a traffic offence for speeding, so a bit of a reminder to keep your computer secure. So 'erm' mass protests would still slide by, single offence per annum but repeat offenders would still get a call.
Re: (Score:2)
Re: (Score:2)
Your and your neighbours inactivity in local government has resulted in incompetent, inefficient and ineffective local police force, face it, your fault.
Re: (Score:2)
Pirating Britney Spears can net you a larger fine and longer jail term than hacking a bank.
Of course the real punishment is having to listen to your pirated Britney Spears album.
Re: (Score:2)
If that's what you think the "Occupy" thing was about you are deeply ignorant of the mechanisms through which the left operates. There were paid organizers, dupes, dopes, trouble makers, newsmen and hangers-on, and not much else. The conjecture that a significant number of people there understood what was going on is laughable.
Re: (Score:2)
Not really.
Long ago I knew a moron who had figured out that BMW's have nice radios that you can sell, stolen for $50 bucks each (this was 1980ish). He stole individuals radios for about a year, including basically every nice cars radio at one high rise apartment complex, he was not smart but he and his buddy stole 10-15 radios a week and were rich by kid standards.
The cops never even looked for them, until he realized there were a bunch of BMWs and Porsches in the dealer back lot. He was in jail/prison
Re: (Score:3, Informative)
Re:not sure "shame" will have much effect (Score:5, Insightful)
Not sure we want to encourage providers to start nosing around in their customers' traffic more than they already do.... Just saying.
Re: (Score:3)
I'm not sure about that - seems like they already comb through for any information that might help their bottom line, noting at least trivially abnormal behavior such as DDOS participation or email spamming while they're at it and at least notifying the account holder that their system(s) may be compromised would seem to be basic responsible citizenship. Instead it seems to be treated as just more traffic to bring you closer to your data cap and those sweet, sweet overage charges.
Re: (Score:2)
Re: (Score:2)
Reminds me of a mate who runs a few sites - every few days he gets amusing emails from irate idiots who've received spam from spammer's who've randomly selected his site's email addresses as `reply-to` addresses, threatening to report him to the `internet police` or name and shame him etc. He used to reply to them, but now he's got a bunch of rules to just delete them, amusing as they are.
So yeah, `naming and shaming` the ISP responsible for temporarily allocating a dynamic IP address to some granny who's u
Re: (Score:3)
Is it? We're not talking about site operators being spoofed, we're talking about the service providers that are actually connecting the zombified PCs to the 'net. The ISP knows exactly which account is using which IP address at any given moment, and could at least notify Granny that her computer/network may be compromised and she should run whatever the good free scanning suite du-jour is. Similarly if they note that some private account is suddenly acting as a server sending hundreds or thousands of ema
Re: (Score:3)
This.
Also, you might never really know who's behind it.
Re: (Score:2)
The vast majority of participants in a DNS based DDoS are "administrators" that have not disabled recursive lookups. A friendly, fix your DNS settings shit head, should do IMHO. That being said, "administrators" that do not set up DNS properly deserve a little shame.
Re: (Score:2)
What happens if you run a legitimate DNS server and a botnet spoofs source IPs in DNS requests to launder and amplify their attack by reflection off you (and countless other DNS servers)?
I've been seeing this come through my system and I don't yet have the sophistication to filter out the attacks. Not that I'm asking to be blacklisted, but ... I should be blacklisted.
Name the OS the botnet runs on .. (Score:2)
Re: (Score:2)
Is this a serious question (Score:1)
He ends up asking: should we actively publish or 'name and shame' DDOS participants (or at least their IP addresses)?
Next up, someone broke into my house; is some stern criticism in order?
Hey, how about you give the evidence to the police?
Re: (Score:2)
Hey, how about you give the evidence to the police?
And you expect the police to do what with that, exactly? Even if you live in a city with technically competent (or even just non-Barney Fife) officers, the odds that they will have the time to care is practically nil. Most likely the majority of the systems involved in a DDoS are not from the country you live in, meaning the cops would need to contact INTERPOL to get anything moving - and they don't usually do that for much of anything short of capital murder.
In other words, sure, you can bring it to
Re: (Score:2)
We have this concept known as an attractive nuisance.
Sure, grand theft auto is still illegal, but lately governments are beginning to crack down on people leaving their cars unattended and running.
Yes (Score:1)
Publish. Shame. Maim. Cripple. What ever it takes to get some measure of satisfaction.
We had this type of DDoS attack. 1 - 2 million requests per hour against a small VPS. Bind wasn't running but it didn't matter; the requests kept coming for weeks. We cloned the VPS so we'd get another IP, switched things over and abandoned the first VPS.
Backups people. Have backups of your code, configs and databases.
No (Score:5, Interesting)
The only reason you can possibly have for publishing the IP addresses is to provoke vigilante justice type of actions, likely counter ddos or something.
What you should do is report him to the abuse department of his ISP. Note the responses of the ISP's and name and shame the ISP's that do not take action.
IP addresses from bad ISP's should end up on a "botnet-friendly ip list" so we can start blocking the traffic from these isp's.
Re:No (Score:5, Informative)
Note the responses of the ISP's and name and shame the ISP's that do not take action. IP addresses from bad ISP's should end up on a "botnet-friendly ip list" so we can start blocking the traffic from these isp's.
On a DoS or DDoS (special case of DoS) that's fine. On a reflective DDoS (RDDoS, a special case of both DDoS and DoS) you have a different situation. A denial of service (DoS) is any interruption of service, e.g., by flooding the server with SYN packets. A distributed denial of service (DDoS) is when the attack comes from multiple different places at once, e.g., a single connection may not be enough to take down a server with high bandwidth; However if you coordinate the attack across many different connections then the overall traffic can eclipse even a high bandwidth server. With a DDoS the machines coordinating the attack may or may not belong to the attackers, but it's a good idea to contact the ISPs so that the IP holders can be notified that their systems may be infected with a bot-net -- Although, this may not be the case, as I'll explain later. In a reflective distributed denial of service (RDDoS), the apparent IP addresses may belong to machines that were under the control of any malicious software. Reporting these IPs would be pointless.
When a server receives the first SYN (synchronize) packet of a TCP connection handshake, it replies with a SYN-ACK (acknowledgement & synchronization) to the source IP of the originating packet. Then a ACK is sent to the server to acknowledge the server's synchronization. This verifies both endpoints aren't spoofed. A RDDoS takes advantage of the fact that:
0. The source IP address of the initial SYN packet can be spoofed (the "From" field can be bogus).
1. The server sends a SYN-ACK before the connection endpoints have been verified.
2. The TCP protocol allows several (five) retries of the SYN-ACK packet.
In a RDDoS, a single malicious computer can spoof the "From" IP of a TCP connection, and spray it around to servers on the net. The bogus return IP address is that of the victim system. Thus, legitimate servers will flood the victim's connection with five SYN-ACK packets for each single packet the attacker sends. Thus the victim never has the attacker's IP address. To combat this servers may pro-actively detect an IP that sends too many incomplete TCP connection requests, and block it. However, the attacker can have many IP addresses at their control (see: botnet) limited to just a few packets per hour sent to an entire Internet of servers. None of these infected machines will be revealing their IP addresses when they perform the reflective attack by spoofing the source IPs of their packets. What we need is for ISPs to block packets originating from their network that that don't have correct return IP addresses... Not all ISPs do this.
Now what if the attacker only has a single machine at their control and they perform an RDDoS? Why, the traffic pattern is identical to a DDoS -- Ah, I can hear your gears turning already: Can't the return IP addresses can be checked to see if they're residential IPs, and thus victims of a botnet infection? Yes, but how do you differentiate the non-residential IPs between infected servers and non infected servers? Just assume that the non-residential IPs aren't intentionally malicious? Yes, indeed, which is why RDDoS is a popular form of network DoS.
I reiterate: What we need is for ISPs to block packets originating from their network that that don't have correct return IP addresses; Thus, spoofed packets are dropped at the source. You'd think with deep packet inspection now available this shallow packet inspection would be broadly adopted -- Ah, but this is electrons spent that don't directly benefit profits. IPsec [wikipedia.org] was once a requirement of IPv6 adoption, and would defeat endpoint spoofing, however IPSec has been made optional for IPv6, so we can expect the RDDoS attacks to continue for quite some time.
Re: (Score:2)
The type of DDoS discussed in TFS/TFA isn't TCP-based. It's UDP-based, is referred to a DNS amplification attack, and abuses DNS servers that permit public recursion to accomplish its goals. There is no handshake involved, as UDP is a connectionless protocol.
Re: (Score:2)
You'd think with deep packet inspection now available this shallow packet inspection would be broadly adopted
This could actually be done by the end-points. Cable/DSL/Fiber "modems", could make sure that the source IP is of a valid IP list and/or subnet, since the end-point already needs to register with the ISP to hand out IP addresses.
Fight back, it's easy. (Score:2, Funny)
Easy, you post the name of the attacker on Slashdot in an article about a new supercool anything and have him slashdotted.
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
My IP is 127.0.0.1 plz be gentle. Also I'm running Windows XP so don't hack me plz.
You can't fool me. Your address is really 0:0:0:0:0:0:0:1, cuz I get a response back from THAT address every time I ping you!!! Your not even running WinXP either, I have root, so shame on you. Just for lying to me I'm going to reformat your boot drive right now....
.....
#@%%&***
</lost carrier signal>
Re: (Score:2)
Do sites still get slashdotted? I thought these days this place doesn't drive enough traffic for that. Could be mistaken.
These days sites seem to get slashdotted very rarely. However I mostly figure it's just due to servers and their bandwidth getting strong enough to alleviate that. Slashdot itself seems to have a solid user base and traffic, at least looking at the amount of comments that stories get.
Re: (Score:2)
do something useful instead (Score:2, Insightful)
contact the ISPs involved, tell them they yank the bad boys' service or you will blackhole them.
Re:do something useful instead (Score:5, Interesting)
So it's not such a stupid suggestion at all. Of course, had they all launched port 80 TCP connections against us, yes, we would have been in serious trouble but I suppose we could have asked them to block non-Australian traffic for the day or until it stopped - overseas traffic is really not a big deal for us.
And for the record, the guy who kicked the whole thing off, we didn't bother to press charges, even though he bragged about it on Facebook (without first unfriending me, the idiot) because, thanks to the ISP, his efforts largely failed and we got some revenge when he tried to use us as a reference (and we were his only employers, so far).
Urrrr, you sure those addresses are right? (Score:1)
Spoofing is more than trivial, and anyone but the dumbest do this to cover their tracks and keep law enforcement back-tracking from a botnet node back to the perp.
Better to track the traffic back over the 'net (using CEF-forwarding tables or ACL etc.) with the help of the relevant ISPs.
If the end ISP isn't helpful, shame them and their upstream peers.
Dom
Two problems with that (Score:5, Interesting)
2) Many of the DDOS nodes don't know they're being hijacked for a DDOS. Name and shame an innocent person?
Not innocent (Score:2, Insightful)
Many of the DDOS nodes don't know they're being hijacked for a DDOS. Name and shame an innocent person?
They are NOT innocent. They let their computers be used in stealing, censorship, blackmailing, spam and other evil stuff. It doesn't matter if it is stupidity, ignorance or malicious intent.
If your car keeps hitting other cars you should hand over your license.
Re: (Score:1)
Someone remotely hijacks your driverless automobile. They drive it into a coffeeshop. Are you to blame?
Re: (Score:2)
Someone remotely hijacks your driverless automobile. They drive it into a coffeeshop. Are you to blame?
YES.
You are responsible for keeping your car under legal and technical correct operation.
Oh, you car has a manufacturing defect? Sue the manufacturer for damages in order do compensate you for the money you lost due this defect.
Re: (Score:2)
Just like we can sue the phone companies for spying on us...
Wait...
Re: (Score:1)
Many of the DDOS nodes don't know they're being hijacked for a DDOS. Name and shame an innocent person?
They are NOT innocent. They let their computers be used in stealing, censorship, blackmailing, spam and other evil stuff. It doesn't matter if it is stupidity, ignorance or malicious intent.
If your car keeps hitting other cars you should hand over your license.
Nice analogy, If someone steals my car and then runes into someone I should totally lose my license.
Re: (Score:1, Informative)
Someone steals your car every night and drives it around, you're not aware of the problem, however someone sees people driving your car and throwing shit at people and lets the police know. The police then pass on the information to you saying "Why is your car out there throwing shit at people at night?"
It is up to you to make sure that your car is properly locked and secured at night, so people can't steal it and take it for joyrides.
Is that a better analogy?
Re: (Score:2)
In order for this to be a more fitting analogy, someone has paid someone else to contract 10,000 car thieves to steal 10,000 cars and all come by and fling shit at your house all night. You ask the police for help and they say they can't really do anything because there's goddamn 10,000 cars and they'd have to build a prison in order to house all the car thieves.
But, your home owner's association decides to enact a temporary 'show proof of residence in this area to get through' rule and the shit-flinging i
Re: (Score:2)
If someone runes it into something you have a viking problem, not a car problem.
If someone runes it, then the problem is dwarfed.
Re: (Score:3)
Re: (Score:2)
Correction - the ordinary locking mechanisms are good enough to keep basically honest folk from temptation and make opportunistic crimes a little more difficult. Anyone with even the most basic lockpicking skill can open 90% of mechanical locks in less than a minute, and picking the lock is usually one of the most difficult ways to gain entry, you only do it if you don't want your entry to be obvious.
Re: (Score:2)
Re: (Score:2)
Excellent. Internet usage should be a licensed privilege.
I think you may be on to something...
Re: (Score:2)
Many of the DDOS nodes don't know they're being hijacked for a DDOS. Name and shame an innocent person?
They are NOT innocent. They let their computers be used in stealing, censorship, blackmailing, spam and other evil stuff. It doesn't matter if it is stupidity, ignorance or malicious intent.
If your car keeps hitting other cars you should hand over your license.
Say I send a bunch of packets all over the Internet. They look like TCP requests created by YOU! Ah, so thousands of legitimate servers reply to the spoofed requests and flood your connection with traffic trying to complete the TCP handshake with you. You collect a list of IP addresses, and report all the IPs. Your report will include everyone from Apple.com to Zombo.com. [zombo.com]
Meanwhile, MY IP address is not included in your list at all. Even if I used a network of infected machines to perform this RDDoS
Re: (Score:2)
Not to mention pointless.
Me: Mom, your name is on a list of DDOS spammers?
Mom: Is that bad?
Re: (Score:1)
3) Spoofing an address is extremely easy.
Re: (Score:2)
If they're not protecting their computers they are far from innocent.
Re: (Score:2)
We don't permit people unwilling to learn to drive to use the roads,
Nobody ever died from someone using a computer who didn't know how, but many people die because someone else who didn't know how to use a car used one.
Re: (Score:2)
In an episode of the 1960s "The Prisoner" a computer explodes because #6 asks it "why?" But of course, both are fiction and both are completely impossible, unless your computer is set up like Die Hard IV.
Re: (Score:2)
Then they are not innocent. If you want to run a node on the internet, a worldwide shared resource, you are responsibile for not abusing that resource. If you are unable or unwilling to do that, then your ISP should disconnect you until that time when you are able and willing.
There is no reason to expect every human being to be an information security expert. The failure is entirely on the shoulders of those who make the tech. A digital device absolutely can and should be safe for anyone to purchase, plug
Yes name and shame will work! (Score:2, Insightful)
You're being 'ddosed' from thousands of different IPs - list them all!
Who cares if they're compromised computers - naming them will surely shame the botnet owners into submission!
Was this question asked by an idiot?
Re: (Score:2)
Who cares if they're compromised computers
I don't. Why should I?
Re: (Score:2)
Re: (Score:2)
Erm, I'm fairly certain they were being sarcastic...
A violation of federal law (Score:2)
DDOS is a violation of federal law and should not be tolerated. If it is a botnet, whoever is running such a botnet is in violation of federal law.
ooh! I can call the sheriff! (Score:2)
who will say, "uh, what? if you got a dose from somebody, you want public health."
Computer Fraud and Abuse Act (Score:2)
Re: (Score:2)
Would "I have evidence that a computer system that I operate is being abused in violation of the Computer Fraud and Abuse Act" be any clearer?
And then they send you to the FBIs computer crimes division, since the evidence you have is that it is being carried out by computers all over the country and probably world? What happens next? What are the general steps one uses to report an attack? get it stopped? mitigate risk?
It's a first step (Score:5, Interesting)
Eventually we should have a reputation-based distributed admin function for the Internet. If a dozen high-rated NetOps guys all sign messages that say that a given IP is spewing DDoS traffic, the infrastructure should permit a block without the owning admin having to deal with it proactively.
If a network doesn't participate, that could play into trust levels. If an admin screws up, he loses reputation. If an admin tends to advertise YouTube routes into Pakistan, he never gets a good reputation in the first place.
As usual, it's all trade-offs and we don't yet have an extensible crypto-reputation system, so one thing at a time.
To the original question - it's probably not going to do much good, but it's good to cultivate such expectations.
Re:It's a first step (Score:5, Insightful)
Re: (Score:2)
It's not censoring the internet, any more than email blacklists are censoring the internet. If I own a router, I have the right to drop any packets I like. If I choose to drop packets based on reputation score from a robust cryptographic reptuation system, and my network becomes more robust and stable and attracts more customers and money, then everyone wins. If I drop packets based on a crappy system, my network becomes unreliable, everyone leaves and I go out of business. Everyone wins again.
Re: (Score:3)
That's simplistic.
Autonomous systems should have the ability to publish opinion and the ability to filter.
"Censoring is never right" as a response to reasonable filtering is like saying, "Every user should receive and read through all their spam."
Give all the IP's to the RIAA (Score:5, Funny)
Make up some story about how you tracked down a huge network of movie pirates.
A more detailed proposal ... (Score:5, Interesting)
Sites under DoS attack should publish (through a channel not congested by the attack) a list of the IP addresses attacking them, through some trustworthy third party. Then, other sites should subscribe to that list and refuse service to those addresses until they clean up and stop attacking.
For instance, consider your uncle who uses AOL. His computer is infected with botnet garbage and is participating in a DoS attack against (say) Slashdot. Slashdot sends a list of attacking IPs, including your uncle's, to Team Cymru (the third party). Cymru aggregates these and publishes a list, updated every three hours. AOL subscribes to that list. When your uncle goes to check his AOL email, he gets an error: "We regret to inform you, your computer has been hacked, and is being used by criminals to break the Internet. You can't get to your AOL email until you kick the criminals off by installing an antivirus program and running a full scan. Click here to install Kaspersky Antivirus for free. Thank you for helping keep criminals from breaking everyone's Internet. Sincerely, Tim Armstrong, CEO, AOL."
Then your uncle gets mad and calls up AOL and complains. They try walking him through using the antivirus program, but he just curses them out and says he'll go to Hotmail instead. He tries ... but Hotmail also subscribes to the same list and tells him the same thing: "Your computer is infected with malware and is being used to attack other sites on the Internet. You cannot obtain a Hotmail account until your computer is clean. Click here to install Microsoft Antivirus." He gives up and calls AOL back, and they help him get his computer cleaned up. Within half an hour, it's off the botnet; and within three hours, it's off the list of attacking hosts, and your uncle can get his AOL email again.
Re: (Score:2)
Last couple of weeks some of our customers (using outdated Joomla-installations with security holes) were used for a DDoS against Bank of America. I sh
Re: (Score:3)
Excellent idea.
You have described the XBL.
The Spamhaus XBL [spamhaus.org], or "Exploits Block List", is a DNSBL [wikipedia.org] (DNS-served blacklist) that lists IP addresses of systems known to be infected or otherwise being used by malicious parties. ("The XBL is an automatic system whose detectors need to receive email (spam, worms, etc.) directly from the IP address so the connection data can be analysed to determine if it's a proxy or virus-spewer.") The blacklist is developed in a way primarily to be useful in reporting systems e
Re: (Score:2)
Sure, I know and like DNSBLs including Spamhaus's, but this is a distinct application from XBL. Specifically, removal needs to be rapid in order for it to be useful for rejecting customer Web traffic. That's an engineering requirement that email anti-spam systems don't have, since SMTP is designed to retry for days if necessary to get a message through. Moreover, hosts that send any legitimate email are very few compared to hosts that send Web requests; and even though email admins are frequently dense, un
Re: (Score:2)
Fast removal may be a requirement that email anti-spam systems don't have, but that doesn't invalidate DNS as a delivery mechanism. You can update your listing at whatever frequency you see fit and you can set low TTLs on the DNS entries. As it turns out, XBL sets a 35 minute TTL. SpamCop's SBL sets 15 minutes.
I think you're making a case against using a DNSBL, but I'm not sure how this point supports t
Re: (Score:2)
-use a blocklist of IPs, as proposed above
-use a whitelist of IPs for known good ones (e.g. logged in users)
-use a throttle for the rest (conn/s, bandwidth, etc). Allows for blackholing entirely.
That way you can let another AS do your throttling for you (so the tubes are no longer overflowing). You determine the amount of traffic that you can filter and categorize on your side. You keep adding IPs
Central Clearinghouse for DDOS origin IPs (Score:1)
Not useful most times (Score:2)
Annoying but not serious (Score:2)
I've had sizable amounts of junk come in from China Telecom DSL class C blocks in Shenzhen. It's obviously a botnet. Amusingly, by changing what the attackers get back, it's possible to slowly influence their behavior. The zombies just send blindly, trying SMTP and PHP attacks, and they continue to send even if they get no useful response. But after a few days, some control node notices that the botnet isn't accomplishing anything and stops. Except that a few zombies don't get the word and continue to send
null route the ip being attacked? (Score:2)
DNS DDoS is new school (Score:2)
Most packet based DDoS attacks (SYN|FYN|ACK|ICMP) floods do not require a return packet. The source address is always bogus. Reporting it is a joke. New fun and exciting targeted DDoS attacks use improperly set up services/daemons. In this case, recursive lookups on DNS servers are the cause. IMHO, If someone has a fast connection and doesn't disable recursive DNS lookups they should get a warning. After tha,t publishing their whois information on a web site would be a great way to motivate them.
Waste of time (Score:2)
Contact the authorities. If they don't care, contact the newspaper and tell them the authorities don't care. Lather, rinse, repeat.
In the meantime, contact your ISP and beg them not to disconnect you.
I've been DDoS'd for insulting people on irc. As a home user you have no option but to wait for it to end, especially if you have a static IP which I did at the time. It's small satisfaction knowing that the person flooding you is never going to amount to anything and will probably end up in PMITA prison one da
Form letter (Score:2)
Re: (Score:2)
Re: (Score:2)
And what do you do when all your 10GB fibers are saturated?
If his post didn't saturate his link, he's probably safe against DDOS.
Provisioning for the worst case (Score:2)
Amazon &/or Microsoft pretty much can, & actually DO, vs. such things (amazon's setup for that, but not directly - it was MORE for being "proof" to "holiday shopping 'rushes'" but it works out the same for them, vs. DoS/DDoS too - "bonus!")
If you actually had a clue about this stuff you wouldn't need to re-post your drivel time and again.
I think APK's point here is that Amazon and Microsoft provision their networks for the worst case of traffic that they can imagine, and then they sell the excess capacity back to the public as virtual servers.
Re: (Score:2)
Remember that a DDoS is either started by vigilantes such as Anonymous or by botnet operators. In the first case you probably know you could be targetted and probably have the resources to prepare. In the second case, this is what happens: You have a medium size business that is doing well. You get an email saying that you should pay 50.000 dollars i
Re: (Score:2)
There is a person who frequents here, famous for using hosts files as a security something or other some-such. [ashentech.com] I had gone for quite some time without having to see or hear from him but apparently has come back.
Apparently, he has been published and is therefore a celebrity or something like that. Anyway, he has a bizarre set of problems which include replying to his own posts pretending to be someone else, assertions that he had "blown away," "burned," "destroyed" or any other such juveline taunt. He apparently believes I and others are "Jorge Bastida" whoever that may be. His mental deficiencies are his reality and therefore he projects his notion of what normal healthy behavior is upon everyone else. He therefore believes multiple people are all one and has little to do than sit here and and attempt to belittle and berate them with commentary.
Of course his problems with reality extend into the realm of believing things which aren't "quite right." I attempted to point out that this sort of behavior is archived for, so far, "ever" on slashdot and that any searches for anything he might have written could be found by anyone including and especially [potential] employers. With all the stories about how government and employers use social networking (which slashdot nearly qualifies as being) I would think this would be obvious but pointing out the obvious is apparently blackmail. (please grow up... please... prove it by not responding to this!)
So with this, I lay shame and I believe I don't need to name. Will it work?
Let us know how it turns out, Jorge.
Re: (Score:2)
Speak of the devil.
And he comes and shames himself.
This is not exactly what the OP had in mind.
Re: (Score:2)
No. That's the thing I forgot about shame. For shame to work, you have to have something that psychopaths and sociopaths lack. This guy is all over the place. With every new story posted here, he is now a first-poster making comments about me. It's funny actually. I was recently contacted by a news resource on just this guy. So stay tuned -- this might hit the news. Hopefully it won't end with any mass shootings or other such thing. I really do think he is that level of insane.
Re: (Score:2)
Point taken about shame.
He seems unwell to me, too. But he must be sufficiently well functioning to continue to afford a computer and a net connection. I'm curious as to how the story pans out.
Re: (Score:3)
And how are your website's users supposed to reach you in the meantime? As soon as you switch your DNS to point to the new servers, the DDOS follows. Try again.
If anyone's found a solution better (or more cost-effective) than Prolexic or a similar DDOS-prevention service, do let me know. That's some crazy-stupid protection money we're paying out, but it has proven effective.
CloudFlare (Score:2)
As soon as you switch your DNS to point to the new servers, the DDOS follows.
Then switch your DNS to point to a huge caching proxy such as CloudFlare. See previous Slashdot stories mentioning CloudFlare (1) [slashdot.org] (2) [slashdot.org].
Google open DNS vs. non-Google open DNS (Score:2)
Re: (Score:2)
Edge filtering sounds like an important thing to implement.
What about general egress filtering? How feasible is that?
Re: (Score:2)
--What, you never heard of ' iptraf ' for Linux?
--What, you don't *run* Linux? Whassamatta you, get educated son!! ;-)