You're Being DDOSed — What Do You Do? Name and Shame?

badger.foo writes "When you're hit with a DDOS, what do you do? In his most recent column, Peter Hansteen narrates a recent incident that involved a DNS based DDOS against his infrastructure and that of some old friends of his. He ends up asking: should we actively publish or 'name and shame' DDOS participants (or at least their IP addresses)? How about scans that may or may not be preparations for DDOSes to come?"

Why name and shame?

[Anonymous Coward]

DDoS the DDoSers, that'll show em!

Fight back, it's easy.

[Anonymous Coward]

Easy, you post the name of the attacker on Slashdot in an article about a new supercool anything and have him slashdotted.

Give all the IP's to the RIAA

[toygeek]

Make up some story about how you tracked down a huge network of movie pirates.

Re:Let's see if this works

[Anonymous Coward]

Jorge, you can name me all you want, but there is no shame is using a hosts file to block DDoS Packets. I have a foolproof list that blows away your arguments.

P.S.=> There's other methods also, via native to OS tools for network-wide propogation of fresh clean updated hosts files that program yields IF you only installed it on a "central server" for clean hosts for all nodes/workstations/servers:

I.E.-> Centrally managed hosts files? Easy as pie via logons scripts, or parse of autoexec in Windows @ bootup via GPEdit & group policies company-wide!

OR

Using taskscheduler on each workstation/server node periodically

P.P.S.=> Of course, your HOSTS file will need to have the domain/hosts name of the C&C servers, & that you have to obtain for this to work vs. threats like bogus servers &/or maliciously scripted sites. Here's some good sources for that above & beyond mvps.org (I noted them above):

http://hosts-file.net/?s=Download [hosts-file.net]
http://www.malwaredomainlist.com/hostslist/hosts.txt [malwaredomainlist.com]
http://mirror1.malwaredomains.com/files/ [malwaredomains.com] (justdomains here)
http://pgl.yoyo.org/as/serverlist.php?hostformat=hosts&showintro=1&mimetype=plaintext [yoyo.org]
http://sysctl.org/cameleon/hosts [sysctl.org]
http://someonewhocares.org/hosts/ [someonewhocares.org]
http://hostsfile.org/hosts.html [hostsfile.org]
http://hostsfile.mine.nu/downloads/ [hostsfile.mine.nu]
https://zeustracker.abuse.ch/monitor.php?filter=lastupdated [abuse.ch]
https://spyeyetracker.abuse.ch/monitor.php?filter=lastupdated [abuse.ch]
http://www.apkgoatsestylepersonalpics.com/hostsfiles.htm [apkgoatses...alpics.com]
http://www.malwareurl.com/ [malwareurl.com]
http://www.safer-networking.org/en/download/ [safer-networking.org] (updater for Spybot "Search & Destroy" & it fortifies HOSTS files)

Those are some of my regular sources that are reputable & reliable for custom HOSTS file data populations vs. known threats online - I consolidate them here via programs I wrote that normalize/deduplicate repeated entries, sort/alphabetize the results, & change from larger + slower 127.0.0.1 (longer & loopback ops happen here) to the faster & smaller 0.0.0.0 (or even 0 on Windows 2000/XP/Server 2003): Enjoy!

... apk

P.P.P.P.S.=> There you go... it all works, GUI easily from my app, all the way out to any endpoint PC/Server on a LAN/WAN even... often as you like & CLEAN/FRESH too!

P.P.P.P.P.S=> It's good "layered-security"/"defense-in-depth" & does things AdBlock, DNS, & even firewalls can't (like speed up access to fav. sites + make them reliable in the event of DNS poisoning redirects or being "downed" even...) & gets P.P.P.P.P.P.S.=> back SPEED/BANDWIDTH users pay for out of pocket along with their POWER BILL too...

P.P.P.P.P.P.P.S.=> I skipped P.P.P.S=>