Go Back   Steam Users' Forums > Steam Discussions > Hardware and Operating Systems

Reply
 
Thread Tools Display Modes
Old 02-22-2011, 08:50 AM   #1
Slayer00
 
 
 
Join Date: Sep 2006
Reputation: 1139
Posts: 5,510
How to find IP of ddos attacker?

I suspect I am currently under attack of ddos, how can I find IP of the attacker?

netstat is useless because I have NORMALLY over 3000 connections listed there without someone ddosing me..

Also how to block it?


Yes, I have dynamic IP.
Too lazy to turn off my modem for 10 minutes to obtain new IP at the moment.
Slayer00 is offline  
Reply With Quote
Old 02-22-2011, 09:16 AM   #2
i9urd
 
Join Date: May 2010
Reputation: 110
Posts: 523
Contact your ISP.
i9urd is offline   Reply With Quote
Old 02-22-2011, 09:33 AM   #3
rotNdude
 
rotNdude's Avatar
 
Volunteer Moderator
Join Date: Dec 2004
Reputation: 10750
Posts: 46,732
Is your computer hooked directly to the modem or do you have a router?
rotNdude is offline   Reply With Quote
Old 02-22-2011, 09:40 AM   #4
Slayer00
 
 
 
Join Date: Sep 2006
Reputation: 1139
Posts: 5,510
My PC is connected to unsecure (no firewall) router which is hooked to non-firewalled port on my modem.


Though after turning off my modem for 15 minutes the attack seemed to stop (IP didn't change).
Slayer00 is offline   Reply With Quote
Old 02-22-2011, 10:06 AM   #5
rotNdude
 
rotNdude's Avatar
 
Volunteer Moderator
Join Date: Dec 2004
Reputation: 10750
Posts: 46,732
Your router should be running NAT and should also have a admin console that you can log into. Check the logs.
rotNdude is offline   Reply With Quote
Old 02-22-2011, 10:08 AM   #6
Slayer00
 
 
 
Join Date: Sep 2006
Reputation: 1139
Posts: 5,510
My modem has 2 firewalled ports and 2 without firewall, I have no devices connected to the firewalled ports and I can login to control only panel only from port 1 (firewalled).

Even if my PC wasn't connect to port using firewall (NAT) is there logs?
Slayer00 is offline   Reply With Quote
Old 02-22-2011, 10:09 AM   #7
Archvile
 
Join Date: Jul 2004
Reputation: 422
Posts: 470
3000 active connections sounds like an awful lot for a non-server.. You sure your problems stop at a denial of service attack?

Anyway, you could use TCPview to look at the bandwidth used by each socket, that might give you a better idea what's happening.
Archvile is offline   Reply With Quote
Old 02-22-2011, 10:14 AM   #8
damaged
 
Join Date: Jul 2008
Reputation: 8793
Posts: 7,278
You will likely not see the IP being used by the attacker, chances are they are using a bot-net, so their IP will never be disclosed to you, only the IPs of the various nodes (likely owned by innocent people with crappy security practices).

It is also possible the attackers ISP does not egress filter, which would then mean he could be using spoofed IPs, in both cases, only the upstream can do anything about it (well, you could enable syn cookies to slow it down), you will have to contact your ISP and have them contact the upstream provider(s) to null route the IPs, they will probably only do this though if the attack cripples them, or if you were someone like Amazon, in which case you probably would not even HAVE to call.

Lastly, if the attacker is actually only using his REAL ip and only his real IP (script-kiddy alert), then it would depend on the country he is in and the ISP policies, it's pretty hard to get ISPs to work together from a consumers standpoint when it involves multiple countries, but you can report the attacker to his ISP by sending mail to the abuse@ address.

If you have his IP(s) you can block them using iptables in linux, and using IP security policy managment in windows, but if he is spoofing or using bot nets, you will have your work cut out for you.

In short, if you want relief, change IPs, do not update any dyna hosts you use for the time being (if any), and hope they don't (have the ability and) start attacking your ISPs gateway.

Good luck.

Last edited by damaged: 02-22-2011 at 10:31 AM.
damaged is online now   Reply With Quote
Old 02-22-2011, 10:30 AM   #9
Slayer00
 
 
 
Join Date: Sep 2006
Reputation: 1139
Posts: 5,510
Quote:
Originally Posted by Archvile View Post
3000 active connections sounds like an awful lot for a non-server.. You sure your problems stop at a denial of service attack?

Anyway, you could use TCPview to look at the bandwidth used by each socket, that might give you a better idea what's happening.
Semi-server

Apache running for easy imagesharing (too lazy to launch FTP program)
Used to run gameservers and TS aswell but moved them to my other PC.

Just when I tried to record netstat I get less than 50 connections now.. Strange.. Maybe because I restarted modem lately.
I can show (and ask what they all are) later maybe.
TCPView keeps multipling the processes, I had 3 IE tabs open and I saw over 30 IE things in TCPView.
Quote:
Originally Posted by damaged View Post
You will likely not see the IP being used by the attacker, chances are they are using a bot-net, so their IP will never be disclosed to you, only the IPs of the various nodes (likely owned by innocent people with crappy security practices).

It is also possible the attackers ISP does not egress filter, which would then mean he could be using spoofed IPs, in both cases, only the upstream can do anything about it (well, you could enable syn cookies to slow it down), you will have to contact your ISP and have them contact the upstream provider(s) to null route the IPs, they will probably only do this though if the attack cripples them, or if you were someone like Amazon, in which case you probably would not even HAVE to call.

Lastly, if the attacker is actually only using his REAL ip and only his real IP (script-kiddy alert), then it would depend on the country he is in and the ISP policies, it's pretty hard to get ISPs to work together from a consumers standpoint, but you can report the attacker to his ISP by sending mail to the abuse@ address.

In short, if you want relief, change IPs and hope they don't (have the ability and) start attacking your ISPs gateway.

Good luck.
Yeah it might be bot net, or not.

The same person (maybe) attacked one of my websites and spammed some sort of contact form already 3 times, I think I got 2 IPs which are his real IPs and also found free proxy website IPs so doubt he has access to botnets if using free proxies instead of VPN/victims PCs.

If I just find out the IP of the DDOS attacker I would be sure its the same person and could report him to the ISP of his.
Slayer00 is offline   Reply With Quote
Old 02-22-2011, 10:39 AM   #10
damaged
 
Join Date: Jul 2008
Reputation: 8793
Posts: 7,278
Quote:
Originally Posted by Slayer00 View Post
Semi-server

Apache running for easy imagesharing (too lazy to launch FTP program)
Used to run gameservers and TS aswell but moved them to my other PC.

Just when I tried to record netstat I get less than 50 connections now.. Strange.. Maybe because I restarted modem lately.
I can show (and ask what they all are) later maybe.
TCPView keeps multipling the processes, I had 3 IE tabs open and I saw over 30 IE things in TCPView.

Yeah it might be bot net, or not.

The same person (maybe) attacked one of my websites and spammed some sort of contact form already 3 times, I think I got 2 IPs which are his real IPs and also found free proxy website IPs so doubt he has access to botnets if using free proxies instead of VPN/victims PCs.

If I just find out the IP of the DDOS attacker I would be sure its the same person and could report him to the ISP of his.
When you got his IPs you should immediately report him to his (and yours, unless you're not supposed to be running servers) ISP, even if you are not sure (they'll work it out), the reason is, logs, the sooner a report is made the more likely something will get/can be done, if you wait around for days, then report, nothing will likely become of it, unless like I said earlier, you are a bigshot or it affects the ISP significantly (and it's unlikely a few 10 thousand syn/acks is going to even make them blink).

That being said, chances are nothing will be done if the person originates from another country, that is not to say that you shouldn't report them though, I'm just bracing you for the most likely outcome. If they originate in China, Russia or Romania, FORGET it, change IPs and give up the fantasy of reporting them and getting them shut down.

This has been my experience with dealing with DDoS's anyway.

Good luck.

Last edited by damaged: 02-22-2011 at 10:44 AM.
damaged is online now   Reply With Quote
Old 02-23-2011, 12:08 AM   #11
Slayer00
 
 
 
Join Date: Sep 2006
Reputation: 1139
Posts: 5,510
Well seems like it was other way around after all.

Someone hacked my 2nd PC what I use as a server (too) using the XAMPPs WebDav (default password), I didn't know what WebDav was before but now, I googled around a bit and I know what it is now.
I also unloaded the WebDav from the XAMPP installion and read few guides about extra protection/hardening for XAMPP.

Only one weird thing remaining.. Why did someone try to use my 1MB of upload to DDOS someone (long list of IPs on my Apache access log).
You can't do a thing with 1MB upload alone and I think my ISP thorttles my upload speed anyways.

It was minimal shell PHP script with ping and file upload/execute.
Also found trojan download/possible backdoor from Windows start-up folder/registery.

Because it was not "that good" virus infection, should I format or not?
Slayer00 is offline   Reply With Quote
Reply

Go Back   Steam Users' Forums > Steam Discussions > Hardware and Operating Systems


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT -7. The time now is 10:10 PM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.
Site Content Copyright Valve Corporation 1998-2014, All Rights Reserved.