We have been under a DDOS attack off and on since April. The person sent an email looking to extort money from us and I have no intentions on feeding into their game.

I saw the weird user agents and googled "googlebawt" and saw this article:
http://8e6labs.com/2007/09/28/bots-brazen-user-agent-headers/

I see that CastleCops has seen this type of attack before. Would someone be able to help us get out of it?

We have manually banned over 1000 ips.

I recently found this page and it appears to be the exact program used to launch this attack since all the user agents match what I have been seeing.

http://www.teamfurry.com/wordpress/2007/10/16/illusion-now-you-see-me-now-you-dont/

"The HTTP flooding component uses the following User-Agent fields when performing the DDOS:

Mozilla/5.0 (Slurp/cat; vaginamook@inktomi.com; http://www.supercocklol.com/slurp.html)
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/2003100
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; ODI3 Navigator)
Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.5) Gecko/20031021
Mozilla/4.0 (compatible; MSIE 5.0; Windows 98; DigExt)
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5a) Gecko/20030718
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461)
Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90; H010818; AT&T CSM6.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; DigExt)
Mozilla/5.0 (Slurp/si; slurp@inktomi.com; http://www.inktomi.com/slurp.html)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Avast Browser [avastye.com]; .NET CLR 1.1.4322)
Googlebot/2.1 (+http://www.googlebawt.com/bot.html)
Mozilla/4.0 (compatible; MSIE 5.5; Windows 9
FAST-WebCrawler/3.8 (atw-crawler at fast dot no; http://i.love.teh.cock/support/crawler.asp)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Hotbar 4.3.1.0)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 1.0.3705)
Microsoft-WebDAV-MiniRedir/5.1.2600
Mozilla/4.75 [en]
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FunWebProducts-MyWay; (R1 1.3); .NET CLR 1.1.4322)
Mozilla/4.0 compatible ZyBorg/1.0 (wn.zyborg@looksmart.net; http://www.lolyousuck.com)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461)
Lynx/2.8.4rel.1 libwww-FM/2.14 SSL-MM/1.4.1 GNUTLS/0.8.6"

Is there any way to block those user agents?

Also, what is the best way to get this person caught?

Thank you so much to anyone that can help.

See http://www.evasystems.net .
They can protect you remotely if you don't want to move your host, or you can move and get even better protection on their network.

Let me know if you have any questions.

Do you have a list of IPs attacking you?

Thanks
Tom

Thomas Anderson
Chief Security Officer
http://StopDDOS.ORG

Thanks for your quick replies.

I have been saving a google spreadsheet and have about 200-400 IPs that have been blocked so far. I also have a sample of the last 300 users from cPanel.

Post it when you can

Here's the sheet. There are 490 IPs on it.

http://spreadsheets.google.com/pub?key=pjgX9eaTT1OKOV31oe2qsaA

Can you help us with this?

Thanks - Do you have a list of the 1000 banned IPs ?

Could you take a fresh tcpdump/windump from your box while the attack is ongoing.

The more IPs the better. Gives us more of a chance in finding the C&C and then everything else

Tom

Is this what you mean?

Our host provided us with:

-------------------------
root@host [~]# tcpdump -nnqt ether dst `ifconfig eth0 | grep eth0 | awk
'{print $5}'` > out tcpdump: verbose output suppressed, use -v or -vv for full
protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size
96 bytes 636 packets captured 636 packets received by filter 0 packets dropped
by kernel

root@host [~]# cat out | awk '{print $2}' | cut -d"." -f1,2,3,4 | sort -n |
uniq -c | sort -n 1 1 70.110.167.108 2 69.239.114.87 3 64.91.239.15 3
67.100.93.245 3 90.224.28.164 6 79.5.18.58 19 201.153.180.150 21 190.47.221.77
22 189.191.151.174 22 82.155.124.185 23 219.95.202.114 27 190.46.6.67 28
213.190.63.52 29 79.7.177.254 30 203.171.242.171 35 189.70.73.17 35
99.254.29.206 37 201.244.211.189 41 77.121.213.139 42 190.80.186.218 45
89.106.114.204 46 190.56.191.185 57 81.153.148.119 59 85.65.226.197

root@host [~]# netstat -tn 2>/dev/null | grep :80 | awk '{print $5}' | cut -f1
-d: | sort | uniq -c | sort -rn | head 107 77.121.213.139 103 89.106.114.204
94 213.190.63.52 apf'd those
---------------------------

Thanks again,

Will take a look

Thanks so much!

Is there anybody else that could help us out with this one?

Please see your private message if wish to gain further assistance. It would be nice to get more IP addresses 1000's if you have them.

Feel free to post them here too The more exposure the better.

I've seen instances/posts here at CC such as "why is my IP address listed in this thread? Am I infected, etc?" kind of stuff

It kind of makes a map of infected addresses...even though they may be "clean" - or have moved (in the case of dynamic IPs) by the time the user finds their way here (likely from a google search for their IP address).

Our SMTP servers were attacked recently by about 7000 machines which really bummed us out until we figured out how to STOP them. At one point we had over 108,000 sessions being initiated from 7000 machines in under 10 minutes - they also got new IP addresses every few days and kept slamming us (getting new IPs is what we named the "Homer Simpson Effect" - or HSE). It is explained in my PDFs I will upload shortly.

I can't sit here and explain it in detail in a single message, but basically, I have written a piece of software to scour your server logs and pull lout the offending IP addresses, then it builds, sorts and desupes a P2P formatted IP Address list, then you simply use PeerGuardian-Lite (I prefer the Lite) or PeerGuardingG2 for Windows Servers, or moblock for Linux servers and this DROPs the SYN packets BEFORE they get to your server. If they get to your server software, it is too late to stop the damage (they have eaten your resources)- But when you DROP THE SMALL SYN Packets on the way in - this effectively kills them DEAD - it is the ONLY REAL way to stop them in the act. AND IT WORKS! (it works very well). I have a PDF that describes it in GREAT (20 page) detail, plus an Emergency 5 pages Quick Start guide to get you going (I KNOW the panic and dismay they cause). We must stop these bloodsuckers, and we know how (and I mean STOP THEM COLD).

DON'T GIVE IN TO THEM. Stop them dead, instead... (hey, I'm a poet! No, I know this isn't the least bit funny, but at one point all we had left was our humor - I think you know how it is).

I am new here on CC, and I noticed we can do attachments. I will go clean up the Doc file and convert it to PDF, and come back in a few minutes and post the detailed instructions AND the C code, too. If this NOT OK, let me know. We must stop these criminals. I have had it with them...

Most sincerely,
Richard P. Blibit (Mr. Blibit42)

Hi

You are free to post the file in .pdf format.