How to find IP of ddos attacker?

[Slayer00]

I suspect I am currently under attack of ddos, how can I find IP of the attacker?

netstat is useless because I have NORMALLY over 3000 connections listed there without someone ddosing me..

Also how to block it?


Yes, I have dynamic IP.
Too lazy to turn off my modem for 10 minutes to obtain new IP at the moment.

[i9urd]

Contact your ISP.

[rotNdude]

Is your computer hooked directly to the modem or do you have a router?

[Slayer00]

My PC is connected to unsecure (no firewall) router which is hooked to non-firewalled port on my modem.


Though after turning off my modem for 15 minutes the attack seemed to stop (IP didn't change).

[rotNdude]

Your router should be running NAT and should also have a admin console that you can log into. Check the logs.

[Slayer00]

My modem has 2 firewalled ports and 2 without firewall, I have no devices connected to the firewalled ports and I can login to control only panel only from port 1 (firewalled).

Even if my PC wasn't connect to port using firewall (NAT) is there logs?

[Archvile]

3000 active connections sounds like an awful lot for a non-server.. You sure your problems stop at a denial of service attack?

Anyway, you could use TCPview to look at the bandwidth used by each socket, that might give you a better idea what's happening.

[damaged]

You will likely not see the IP being used by the attacker, chances are they are using a bot-net, so their IP will never be disclosed to you, only the IPs of the various nodes (likely owned by innocent people with crappy security practices).

It is also possible the attackers ISP does not egress filter, which would then mean he could be using spoofed IPs, in both cases, only the upstream can do anything about it (well, you could enable syn cookies to slow it down), you will have to contact your ISP and have them contact the upstream provider(s) to null route the IPs, they will probably only do this though if the attack cripples them, or if you were someone like Amazon, in which case you probably would not even HAVE to call.

Lastly, if the attacker is actually only using his REAL ip and only his real IP (script-kiddy alert), then it would depend on the country he is in and the ISP policies, it's pretty hard to get ISPs to work together from a consumers standpoint when it involves multiple countries, but you can report the attacker to his ISP by sending mail to the abuse@ address.

If you have his IP(s) you can block them using iptables in linux, and using IP security policy managment in windows, but if he is spoofing or using bot nets, you will have your work cut out for you.

In short, if you want relief, change IPs, do not update any dyna hosts you use for the time being (if any), and hope they don't (have the ability and) start attacking your ISPs gateway.

Good luck.

[Slayer00]

Quote:

Originally Posted by Archvile

3000 active connections sounds like an awful lot for a non-server.. You sure your problems stop at a denial of service attack?

Anyway, you could use TCPview to look at the bandwidth used by each socket, that might give you a better idea what's happening.

Semi-server

Apache running for easy imagesharing (too lazy to launch FTP program)
Used to run gameservers and TS aswell but moved them to my other PC.

Just when I tried to record netstat I get less than 50 connections now.. Strange.. Maybe because I restarted modem lately.
I can show (and ask what they all are) later maybe.
TCPView keeps multipling the processes, I had 3 IE tabs open and I saw over 30 IE things in TCPView.

Quote:

Originally Posted by damaged

You will likely not see the IP being used by the attacker, chances are they are using a bot-net, so their IP will never be disclosed to you, only the IPs of the various nodes (likely owned by innocent people with crappy security practices).

It is also possible the attackers ISP does not egress filter, which would then mean he could be using spoofed IPs, in both cases, only the upstream can do anything about it (well, you could enable syn cookies to slow it down), you will have to contact your ISP and have them contact the upstream provider(s) to null route the IPs, they will probably only do this though if the attack cripples them, or if you were someone like Amazon, in which case you probably would not even HAVE to call.

Lastly, if the attacker is actually only using his REAL ip and only his real IP (script-kiddy alert), then it would depend on the country he is in and the ISP policies, it's pretty hard to get ISPs to work together from a consumers standpoint, but you can report the attacker to his ISP by sending mail to the abuse@ address.

In short, if you want relief, change IPs and hope they don't (have the ability and) start attacking your ISPs gateway.

Good luck.

Yeah it might be bot net, or not.

The same person (maybe) attacked one of my websites and spammed some sort of contact form already 3 times, I think I got 2 IPs which are his real IPs and also found free proxy website IPs so doubt he has access to botnets if using free proxies instead of VPN/victims PCs.

If I just find out the IP of the DDOS attacker I would be sure its the same person and could report him to the ISP of his.

[damaged]

Quote:

Originally Posted by Slayer00

Semi-server

Apache running for easy imagesharing (too lazy to launch FTP program)
Used to run gameservers and TS aswell but moved them to my other PC.

Just when I tried to record netstat I get less than 50 connections now.. Strange.. Maybe because I restarted modem lately.
I can show (and ask what they all are) later maybe.
TCPView keeps multipling the processes, I had 3 IE tabs open and I saw over 30 IE things in TCPView.

Yeah it might be bot net, or not.

The same person (maybe) attacked one of my websites and spammed some sort of contact form already 3 times, I think I got 2 IPs which are his real IPs and also found free proxy website IPs so doubt he has access to botnets if using free proxies instead of VPN/victims PCs.

If I just find out the IP of the DDOS attacker I would be sure its the same person and could report him to the ISP of his.

When you got his IPs you should immediately report him to his (and yours, unless you're not supposed to be running servers) ISP, even if you are not sure (they'll work it out), the reason is, logs, the sooner a report is made the more likely something will get/can be done, if you wait around for days, then report, nothing will likely become of it, unless like I said earlier, you are a bigshot or it affects the ISP significantly (and it's unlikely a few 10 thousand syn/acks is going to even make them blink).

That being said, chances are nothing will be done if the person originates from another country, that is not to say that you shouldn't report them though, I'm just bracing you for the most likely outcome. If they originate in China, Russia or Romania, FORGET it, change IPs and give up the fantasy of reporting them and getting them shut down.

This has been my experience with dealing with DDoS's anyway.

Good luck.

[Slayer00]

Well seems like it was other way around after all.

Someone hacked my 2nd PC what I use as a server (too) using the XAMPPs WebDav (default password), I didn't know what WebDav was before but now, I googled around a bit and I know what it is now.
I also unloaded the WebDav from the XAMPP installion and read few guides about extra protection/hardening for XAMPP.

Only one weird thing remaining.. Why did someone try to use my 1MB of upload to DDOS someone (long list of IPs on my Apache access log).
You can't do a thing with 1MB upload alone and I think my ISP thorttles my upload speed anyways.

It was minimal shell PHP script with ping and file upload/execute.
Also found trojan download/possible backdoor from Windows start-up folder/registery.

Because it was not "that good" virus infection, should I format or not?