Request for contact and procedure information

Jeffrey Lyon jeffrey.lyon at blacklotus.net
Fri Jul 10 01:11:49 CDT 2009


All,

There are few if any ISP that will help you with something like this.
Law enforcement also does not have the resources to even begin to look
at a single DSL line being attacked unless you can show 7+ figures in
damage or some type of major threat to national infrastructure.

Your options are basically as follows:

1) Use csf . If properly tuned this should be sufficient to filter
minor attacks.
2) Invest in a decent firewall like a Juniper Netscreen and set
session limits. This won't stop an attack but it will limit the amount
of traffic you have to filter locally.
3) Ask SBC to null route the IP completely
4) Invest in an actual protection service.

Jeff


On Fri, Jul 10, 2009 at 12:02 AM, Jon Kibler<Jon.Kibler at aset.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Jon Kibler wrote:
>> Charles Wyble wrote:
>>> All,
>>
>>> I'm currently experiencing a DDOS attack on my home DSL connection.
>>
>>> Thousands of requests to port 80.
>>
>>> I'm on an SBC business class account.
>>
>>> I'm guessing that calling the regular customer support won't get me
>>> anywhere.
>>
>>> Any suggestions?
>>
>> Okay, this is going to sound REALLY lame, but IMHO it may be your best bet to
>> get action from SBC:
>>
>>    1) File a police report with your local law enforcement agency and (CRITICAL)
>> get a case number. (You should have well documented when the attack started,
>> too. If asked why you waited so long to report it, explain that you were not
>> familiar with procedures. You may also be asked what you have that someone wants
>> to attack. "I don't know" is an acceptable answer, if that is the truth.) When
>> local law enforcement completes taking the report, request that your local law
>> enforcement escalate the case to the local/regional FBI office (specifically
>> mention InfraGuard).
>>
>>    2) Call your local FBI office and ask to speak to the InfraGuard coordinator.
>> (If it is a small office, they may refer you to your regional office.) Tell them
>> you are being DDOSed, that you have filed a report with local law enforcement
>> (give them agency and case number), tell them who is your ISP and contact
>> information, and tell them ISP has been uncooperative at resolution. Ask them
>> can they please help -- at a minimum, can they contact the ISP and get them to
>> start null routing DDOS traffic.
>>
>> Just out of curiosity, do you have any traffic capture? If so, what type of
>> attack is it? SYN flood, Apache instance starvation, etc.?
>>
>> You may want to do some packet capture for hand-over to law enforcement.
>>
>> I know this sounds lame, but I also CONSTANTLY hear from InfraGuard that they
>> want to be informed of these types of attacks, and they will help when resources
>> permit.
>>
>> Don't expect miracles. But it is better than nothing.
>>
>> Finally, document, document, document!!!
>>
>> Jon
>
>
> I hate to reply to my own email... but as soon as I hit "SEND", I realized I
> left off something important...
>
> You said you have Business Class DSL. Is this for a business? If so, have your
> lawyer contact SBC. S/he should request to talk with the department manager for
> small business services. That, too, may help get action. Be sure to provide
> him/her with written documentation on everything you can regarding the attack.
> The more information that s/he has, the better to beat up on SBC with.
>
> Finally, what does your TOS/SLA say about DDoS? Most have something to say about
> ISP liability in the mitigation of such attacks.
>
> GOOD LUCK!
>
> Jon
> - --
> Jon R. Kibler
> Chief Technical Officer
> Advanced Systems Engineering Technology, Inc.
> Charleston, SC  USA
> o: 843-849-8214
> c: 843-813-2924 (NEW!)
> s: 843-564-4224
> http://www.linkedin.com/in/jonrkibler
>
> My PGP Fingerprint is:
> BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkpWvU0ACgkQUVxQRc85QlO21wCffh5vK5V39ffWJGZPgoA4a9ii
> RpcAnjdVCx4l693Pw6vYz58xjZt//Cdx
> =UTXU
> -----END PGP SIGNATURE-----
>
>
>
>
> ==================================================
> Filtered by: TRUSTEM.COM's Email Filtering Service
> http://www.trustem.com/
> No Spam. No Viruses. Just Good Clean Email.
>
>



-- 
Jeffrey Lyon, Leadership Team
jeffrey.lyon at blacklotus.net | http://www.blacklotus.net
Black Lotus Communications of The IRC Company, Inc.

Look for us at HostingCon 2009 in Washington, DC on August 10th - 12th
at Booth #401.




More information about the NANOG mailing list