All, There are few if any ISP that will help you with something like this. Law enforcement also does not have the resources to even begin to look at a single DSL line being attacked unless you can show 7+ figures in damage or some type of major threat to national infrastructure. Your options are basically as follows: 1) Use csf . If properly tuned this should be sufficient to filter minor attacks. 2) Invest in a decent firewall like a Juniper Netscreen and set session limits. This won't stop an attack but it will limit the amount of traffic you have to filter locally. 3) Ask SBC to null route the IP completely 4) Invest in an actual protection service. Jeff On Fri, Jul 10, 2009 at 12:02 AM, Jon Kibler<Jon.Kibler@aset.com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Jon Kibler wrote:
Charles Wyble wrote:
All,
I'm currently experiencing a DDOS attack on my home DSL connection.
Thousands of requests to port 80.
I'm on an SBC business class account.
I'm guessing that calling the regular customer support won't get me anywhere.
Any suggestions?
Okay, this is going to sound REALLY lame, but IMHO it may be your best bet to get action from SBC:
1) File a police report with your local law enforcement agency and (CRITICAL) get a case number. (You should have well documented when the attack started, too. If asked why you waited so long to report it, explain that you were not familiar with procedures. You may also be asked what you have that someone wants to attack. "I don't know" is an acceptable answer, if that is the truth.) When local law enforcement completes taking the report, request that your local law enforcement escalate the case to the local/regional FBI office (specifically mention InfraGuard).
2) Call your local FBI office and ask to speak to the InfraGuard coordinator. (If it is a small office, they may refer you to your regional office.) Tell them you are being DDOSed, that you have filed a report with local law enforcement (give them agency and case number), tell them who is your ISP and contact information, and tell them ISP has been uncooperative at resolution. Ask them can they please help -- at a minimum, can they contact the ISP and get them to start null routing DDOS traffic.
Just out of curiosity, do you have any traffic capture? If so, what type of attack is it? SYN flood, Apache instance starvation, etc.?
You may want to do some packet capture for hand-over to law enforcement.
I know this sounds lame, but I also CONSTANTLY hear from InfraGuard that they want to be informed of these types of attacks, and they will help when resources permit.
Don't expect miracles. But it is better than nothing.
Finally, document, document, document!!!
Jon
I hate to reply to my own email... but as soon as I hit "SEND", I realized I left off something important...
You said you have Business Class DSL. Is this for a business? If so, have your lawyer contact SBC. S/he should request to talk with the department manager for small business services. That, too, may help get action. Be sure to provide him/her with written documentation on everything you can regarding the attack. The more information that s/he has, the better to beat up on SBC with.
Finally, what does your TOS/SLA say about DDoS? Most have something to say about ISP liability in the mitigation of such attacks.
GOOD LUCK!
Jon - -- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC USA o: 843-849-8214 c: 843-813-2924 (NEW!) s: 843-564-4224 http://www.linkedin.com/in/jonrkibler
My PGP Fingerprint is: BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkpWvU0ACgkQUVxQRc85QlO21wCffh5vK5V39ffWJGZPgoA4a9ii RpcAnjdVCx4l693Pw6vYz58xjZt//Cdx =UTXU -----END PGP SIGNATURE-----
================================================== Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.
-- Jeffrey Lyon, Leadership Team jeffrey.lyon@blacklotus.net | http://www.blacklotus.net Black Lotus Communications of The IRC Company, Inc. Look for us at HostingCon 2009 in Washington, DC on August 10th - 12th at Booth #401.