CastleCops, Internet Crime Fighters
Need help? Click here to register for free! Absolutely zero advertisements on this site!

Donation/Premium
spacer
Donations. Become Premium Today! Premium Icon
block bottom
Security Central
spacer
· Home
· PIRT/Fried Phish
· MIRT
· SIRT
· Deutsch
· Wiki
· Newsletter
· O16/ActiveX
· CLSID List
· Contest2007
· Downloads
· Feedback (send)
· Forums
· HijackThis
· Hijacktrend
· LSPs
· My Downloads
· O18
· O20
· O21
· O22
· O23
· O9
· Premium
· Private Messages
· Proxomitron
· Reviews
· Search
· StartupList
· Stories Archive
· Submit News
· WsIRT
· Your Account
· Acceptable Use Policy
block bottom
spacer spacer
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Login to check your private messagesLogin to check your private messages   LoginLogin   Your Favorite ForumsSelect FavForums 

Currently under DDoS attack - How do I find out what type

 
Post new topic   Reply to topic       All -> FavForums -> DDoS [del.icio.us!] [digg it!] [reddit!]
View previous topic :: View next topic  
Author Message
JettaDude

Cadet
Cadet


Joined: Aug 29, 2008
Posts: 1
Location: USA
PostPosted: Fri Aug 29, 2008 1:08 am    Post subject: Currently under DDoS attack - How do I find out what type
Reply with quote

Hello,

My website is currently under DDoS attack. Here is a tcpdump while the attack is occurring. I have tried csf connection tracking, ddos deflate everything, new connections keep coming in and eating bandwidth (the attack isnt big enough to bring the server down)

Here is my tcp dump taken during the attack



18:56:50.291805 IP 151.203.0.84.34561 > 69.42.220.161.domain: 18602 A? www.target.com. (34)
18:56:50.305368 IP xx.xx.xxx.xx.22 > 96.232.117.182.4700: P 13211977:13212157(180) ack 63388 win 24656
18:56:50.309568 IP 62.37.80.126.33818 > xx.xx.xxx.xx.http: . ack 1 win 30492
18:56:50.316115 IP 62.37.80.126.33819 > xx.xx.xxx.xx.http: . ack 1 win 30492
18:56:50.317692 IP 62.37.80.126.33820 > xx.xx.xxx.xx.http: . ack 1 win 30492
18:56:50.319083 IP 62.37.80.126.33821 > xx.xx.xxx.xx.http: . ack 1 win 30492
18:56:50.320433 IP 96.232.117.182.4700 > xx.xx.xxx.xx.22: . ack 13208805 win 65535
18:56:50.320607 IP 62.37.80.126.33823 > xx.xx.xxx.xx.http: . ack 1 win 30492
18:56:50.320653 IP 62.37.80.126.33822 > xx.xx.xxx.xx.http: . ack 1 win 30492
18:56:50.356807 IP xx.xx.xxx.xx.http > 62.164.255.170.54006: F 293:293(0) ack 374 win 6432
18:56:50.368006 IP 65.31.80.121.precise-sft > xx.xx.xxx.xx.http: S 720789134:720789134(0) win 16384 <mss 1460,nop,nop,sackOK>
18:56:50.372011 IP 62.37.80.126.33822 > xx.xx.xxx.xx.http: P 1:380(379) ack 1 win 30492
18:56:50.372044 IP xx.xx.xxx.xx.http > 62.37.80.126.33822: . ack 380 win 6432
18:56:50.372177 IP xx.xx.xxx.xx.http > 62.37.80.126.33822: P 1:619(618) ack 380 win 6432
18:56:50.372243 IP xx.xx.xxx.xx.http > 62.37.80.126.33822: F 619:619(0) ack 380 win 6432
18:56:50.374808 IP xx.xx.xxx.xx.http > 62.164.255.170.54007: F 293:293(0) ack 358 win 6432
18:56:50.378584 IP 62.37.80.126.33821 > xx.xx.xxx.xx.http: P 1:414(413) ack 1 win 30492
18:56:50.378617 IP xx.xx.xxx.xx.http > 62.37.80.126.33821: . ack 414 win 6432
18:56:50.378718 IP xx.xx.xxx.xx.http > 62.37.80.126.33821: P 1:619(618) ack 414 win 6432
18:56:50.378766 IP xx.xx.xxx.xx.http > 62.37.80.126.33821: F 619:619(0) ack 414 win 6432
18:56:50.380648 IP 68.117.88.10.terminaldb > xx.xx.xxx.xx.http: S 276319166:276319166(0) win 65535 <mss 1460,nop,nop,sackOK>
18:56:50.380706 IP xx.xx.xxx.xx.http > 68.117.88.10.terminaldb: S 1549771425:1549771425(0) ack 276319167 win 5840 <mss 1460,nop,nop,sackOK>
18:56:50.380660 IP 68.117.88.10.ttyinfo > xx.xx.xxx.xx.http: . ack 620 win 64917
18:56:50.380670 IP 68.117.88.10.ttyinfo > xx.xx.xxx.xx.http: F 422:422(0) ack 620 win 64917
18:56:50.380747 IP xx.xx.xxx.xx.http > 68.117.88.10.ttyinfo: . ack 423 win 6432
18:56:50.380871 IP xx.xx.xxx.xx.22 > 96.232.117.182.4700: P 13213593:13213773(180) ack 63388 win 24656
18:56:50.380957 IP xx.xx.xxx.xx.22 > 96.232.117.182.4700: P 13213773:13213905(132) ack 63388 win 24656
18:56:50.382980 IP 62.164.255.170.54008 > xx.xx.xxx.xx.http: P 1:383(382) ack 1 win 17520
18:56:50.384105 IP 62.37.80.126.33818 > xx.xx.xxx.xx.http: P 1:421(420) ack 1 win 30492
18:56:50.384139 IP xx.xx.xxx.xx.http > 62.37.80.126.33818: . ack 421 win 6432
18:56:50.384219 IP xx.xx.xxx.xx.http > 62.37.80.126.33818: P 1:619(618) ack 421 win 6432
18:56:50.384266 IP xx.xx.xxx.xx.http > 62.37.80.126.33818: F 619:619(0) ack 421 win 6432
18:56:50.392695 IP 65.31.80.121.kali > xx.xx.xxx.xx.http: S 1127894153:1127894153(0) win 16384 <mss 1460,nop,nop,sackOK>
18:56:50.416054 IP 62.37.80.126.33823 > xx.xx.xxx.xx.http: P 1:476(475) ack 1 win 30492
18:56:50.416085 IP xx.xx.xxx.xx.http > 62.37.80.126.33823: . ack 476 win 6432
18:56:50.416158 IP xx.xx.xxx.xx.http > 62.37.80.126.33823: P 1:619(618) ack 476 win 6432
18:56:50.416206 IP xx.xx.xxx.xx.http > 62.37.80.126.33823: F 619:619(0) ack 476 win 6432
18:56:50.423001 IP 62.37.80.126.33820 > xx.xx.xxx.xx.http: P 1:427(426) ack 1 win 30492
18:56:50.423034 IP xx.xx.xxx.xx.http > 62.37.80.126.33820: . ack 427 win 6432
18:56:50.423103 IP xx.xx.xxx.xx.http > 62.37.80.126.33820: P 1:619(618) ack 427 win 6432
18:56:50.423150 IP xx.xx.xxx.xx.http > 62.37.80.126.33820: F 619:619(0) ack 427 win 6432
18:56:50.428580 IP 62.37.80.126.33819 > xx.xx.xxx.xx.http: P 1:370(369) ack 1 win 30492
18:56:50.428612 IP xx.xx.xxx.xx.http > 62.37.80.126.33819: . ack 370 win 6432
18:56:50.428734 IP xx.xx.xxx.xx.http > 62.37.80.126.33819: P 1:619(618) ack 370 win 6432
18:56:50.428802 IP xx.xx.xxx.xx.http > 62.37.80.126.33819: F 619:619(0) ack 370 win 6432
18:56:50.436194 IP xx.xx.xxx.xx.http > 87.102.64.163.27210: S 1537805328:1537805328(0) ack 3506320876 win 5840 <mss 1460,nop,nop,sackOK>
18:56:50.455643 IP 75.151.13.54.icslap > xx.xx.xxx.xx.http: S 2958045922:2958045922(0) win 16384 <mss 1460,nop,nop,sackOK>
18:56:50.455806 IP xx.xx.xxx.xx.22 > 96.232.117.182.4700: P 13218141:13218321(180) ack 63440 win 24656
18:56:50.458026 IP 96.232.117.182.4700 > xx.xx.xxx.xx.22: . ack 13214037 win 64959
18:56:50.468026 IP xx.xx.xxx.xx.http > 98.28.97.23.playsta2-lob: . ack 307 win 6432
18:56:50.468052 IP xx.xx.xxx.xx.http > 98.28.97.23.playsta2-app: . ack 322 win 6432
18:56:50.468086 IP xx.xx.xxx.xx.http > 98.28.97.23.oms: S 1539001449:1539001449(0) ack 1860601539 win 5840 <mss 1460,nop,nop,sackOK>
18:56:50.468258 IP xx.xx.xxx.xx.http > 98.28.97.23.4663: S 1551612807:1551612807(0) ack 44166958 win 5840 <mss 1460,nop,nop,sackOK>
18:56:50.468311 IP 98.28.97.23.4664 > xx.xx.xxx.xx.http: S 62808261:62808261(0) win 65535 <mss 1460,nop,nop,sackOK>
18:56:50.468359 IP xx.xx.xxx.xx.http > 98.28.97.23.4664: S 1536518427:1536518427(0) ack 62808262 win 5840 <mss 1460,nop,nop,sackOK>
18:56:50.477807 IP xx.xx.xxx.xx.22 > 96.232.117.182.4700: P 13218485:13218633(148) ack 63440 win 24656
18:56:50.478058 IP xx.xx.xxx.xx.22 > 96.232.117.182.4700: P 13218897:13219029(132) ack 63440 win 24656
18:56:50.478133 IP xx.xx.xxx.xx.22 > 96.232.117.182.4700: P 13219029:13219209(180) ack 63440 win 24656
18:56:50.478208 IP xx.xx.xxx.xx.22 > 96.232.117.182.4700: P 13219209:13219389(180) ack 63440 win 24656
18:56:50.490236 IP 85.226.172.103.8180 > xx.xx.xxx.xx.http: . ack 1 win 65520 <nop,nop,sack 1 {3591336849:3591336850}>
18:56:50.492224 IP 68.117.88.10.xinupageserver > xx.xx.xxx.xx.http: S 788048304:788048304(0) win 65535 <mss 1460,nop,nop,sackOK>
18:56:50.492282 IP xx.xx.xxx.xx.http > 68.117.88.10.xinupageserver: S 1552145950:1552145950(0) ack 788048305 win 5840 <mss 1460,nop,nop,sackOK>
18:56:50.492356 IP 85.226.172.103.8180 > xx.xx.xxx.xx.http: . ack 620 win 64902
18:56:50.500486 IP xx.xx.xxx.xx.http > 68.117.88.10.servexec: S 1547807914:1547807914(0) ack 2824753068 win 5840 <mss 1460,nop,nop,sackOK>
18:56:50.516687 IP 77.102.27.198.pn-requester2 > xx.xx.xxx.xx.http: S 3419938804:3419938804(0) win 65535 <mss 1460,nop,nop,sackOK>
18:56:50.520904 IP xx.xx.xxx.xx.22 > 96.232.117.182.4700: P 13220997:13221177(180) ack 63440 win 24656
18:56:50.520986 IP xx.xx.xxx.xx.22 > 96.232.117.182.4700: P 13221177:13221357(180) ack 63440 win 24656
18:56:50.521019 IP 82.238.237.135.radclientport > xx.xx.xxx.xx.http: S 1180039891:1180039891(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,sackOK>
18:56:50.548010 IP 69.42.220.161.domain > 207.164.234.193.26677: 24343 0/13/0 (258)
18:56:50.569800 IP xx.xx.xxx.xx.http > 98.28.97.23.oms: F 293:293(0) ack 401 win 6432
18:56:50.580615 IP 98.222.138.105.prnstatus > xx.xx.xxx.xx.http: F 379:379(0) ack 294 win 65243
18:56:50.580643 IP xx.xx.xxx.xx.http > 98.222.138.105.prnstatus: . ack 380 win 6432
18:56:50.585766 IP 98.222.138.105.smauth-port > xx.xx.xxx.xx.http: S 551680896:551680896(0) win 65535 <mss 1460,nop,nop,sackOK>
18:56:50.585826 IP xx.xx.xxx.xx.http > 98.222.138.105.smauth-port: S 1551043365:1551043365(0) ack 551680897 win 5840 <mss 1460,nop,nop,sackOK>
18:56:50.589580 IP xx.xx.xxx.xx.http > 189.130.235.161.3366: . ack 410 win 6432
18:56:50.597440 IP xx.xx.xxx.xx.22 > 96.232.117.182.4700: P 13222393:13222573(180) ack 63440 win 24656
18:56:50.598715 IP 77.241.207.114.ads > xx.xx.xxx.xx.http: F 380:380(0) ack 620 win 64917
18:56:50.601282 IP 62.37.80.126.33822 > xx.xx.xxx.xx.http: . ack 1 win 30492 <nop,nop,sack 1 {619:620}>
18:56:50.602779 IP 62.37.80.126.33822 > xx.xx.xxx.xx.http: . ack 620 win 29874
18:56:50.609777 IP 62.37.80.126.33821 > xx.xx.xxx.xx.http: . ack 620 win 29874
18:56:50.613819 IP 62.37.80.126.33818 > xx.xx.xxx.xx.http: . ack 1 win 30492 <nop,nop,sack 1 {619:620}>
18:56:50.615288 IP 62.37.80.126.33818 > xx.xx.xxx.xx.http: . ack 620 win 29874
18:56:50.617001 IP 72.174.61.90.nucleus > xx.xx.xxx.xx.http: S 1446880308:1446880308(0) win 65535 <mss 1460,nop,wscale 3,nop,nop,sackOK>
18:56:50.617036 IP xx.xx.xxx.xx.http > 72.174.61.90.nucleus: S 1550924491:1550924491(0) ack 1446880309 win 5840 <mss 1460,nop,nop,sackOK,nop,wscale 7>
18:56:50.636804 IP 87.102.64.163.27210 > xx.xx.xxx.xx.http: . ack 1 win 65520
18:56:50.645769 IP 62.37.80.126.33823 > xx.xx.xxx.xx.http: . ack 1 win 30492 <nop,nop,sack 1 {619:620}>
18:56:50.646997 IP 62.37.80.126.33823 > xx.xx.xxx.xx.http: . ack 620 win 29874
18:56:50.648775 IP 70.255.196.41.dtserver-port > xx.xx.xxx.xx.http: S 2380829503:2380829503(0) win 65535 <mss 1406,nop,nop,sackOK>
18:56:50.653973 IP 62.37.80.126.33820 > xx.xx.xxx.xx.http: . ack 620 win 29874
18:56:50.658070 IP 62.37.80.126.33819 > xx.xx.xxx.xx.http: . ack 1 win 30492 <nop,nop,sack 1 {619:620}>
18:56:50.659562 IP 62.37.80.126.33819 > xx.xx.xxx.xx.http: . ack 620 win 29874
18:56:50.664117 IP xx.xx.xxx.xx.22 > 96.232.117.182.4700: P 13224521:13224701(180) ack 63440 win 24656
18:56:50.680235 IP 72.75.26.189.heartbeat > xx.xx.xxx.xx.http: S 1902964301:1902964301(0) win 65535 <mss 1440,nop,nop,sackOK>
18:56:50.682808 IP 72.75.26.189.wysdma > xx.xx.xxx.xx.http: S 2293032777:2293032777(0) win 65535 <mss 1440,nop,nop,sackOK>
18:56:50.688880 IP 67.167.60.202.dbsa-lm > xx.xx.xxx.xx.http: S 3187716091:3187716091(0) win 65535 <mss 1460,nop,nop,sackOK>
18:56:50.709802 IP 70.132.140.164.drmsfsd > xx.xx.xxx.xx.http: S 361769895:361769895(0) win 65535 <mss 1452,nop,nop,sackOK>
18:56:50.714791 IP xx.xx.xxx.xx.22 > 96.232.117.182.4700: P 13225261:13225441(180) ack 63440 win 24656
18:56:50.720545 IP 74.70.191.83.1753 > xx.xx.xxx.xx.http: S 2292398040:2292398040(0) win 16384 <mss 1460,nop,nop,sackOK>
18:56:50.724380 IP xx.xx.xxx.xx.http > 68.117.88.10.device2: P 1:619(618) ack 391 win 6432
18:56:50.726715 IP 72.229.211.16.2499 > xx.xx.xxx.xx.http: S 1817616180:1817616180(0) win 16384 <mss 1460,nop,nop,sackOK>
18:56:50.730959 IP 72.229.211.16.nms-dpnss > xx.xx.xxx.xx.http: S 1436580530:1436580530(0) win 16384 <mss 1460,nop,nop,sackOK>
18:56:50.731028 IP xx.xx.xxx.xx.http > 72.229.211.16.nms-dpnss: S 1552848120:1552848120(0) ack 1436580531 win 5840 <mss 1460,nop,nop,sackOK>
18:56:50.730993 IP 72.229.211.16.rtsclient > xx.xx.xxx.xx.http: S 3008118027:3008118027(0) win 16384 <mss 1460,nop,nop,sackOK>
18:56:50.731097 IP xx.xx.xxx.xx.http > 72.229.211.16.rtsclient: S 1545356792:1545356792(0) ack 3008118028 win 5840 <mss 1460,nop,nop,sackOK>
18:56:50.741380 IP 98.222.138.105.syam-webserver > xx.xx.xxx.xx.http: . ack 294 win 65243
18:56:50.752165 IP 24.184.115.105.ncu-2 > xx.xx.xxx.xx.http: S 2836838380:2836838380(0) win 65535 <mss 1460,nop,nop,sackOK>
18:56:50.754905 IP xx.xx.xxx.xx.22 > 96.232.117.182.4700: P 13226541:13226721(180) ack 63492 win 24656
18:56:50.754992 IP xx.xx.xxx.xx.22 > 96.232.117.182.4700: P 13226721:13226901(180) ack 63492 win 24656
18:56:50.755069 IP xx.xx.xxx.xx.22 > 96.232.117.182.4700: P 13226901:13227081(180) ack 63492 win 24656
18:56:50.755143 IP xx.xx.xxx.xx.22 > 96.232.117.182.4700: P 13227081:13227261(180) ack 63492 win 24656
18:56:50.771313 IP 220.253.90.13.webmethods-b2b > xx.xx.xxx.xx.http: S 3685808274:3685808274(0) win 65535 <mss 1412,nop,nop,sackOK>
18:56:50.780225 IP 67.167.60.202.hiq > xx.xx.xxx.xx.http: S 1658266467:1658266467(0) win 65535 <mss 1460,nop,nop,sackOK>
18:56:50.792971 IP 75.91.128.80.61448 > xx.xx.xxx.xx.http: S 3300475547:3300475547(0) win 65535 <mss 1452,nop,nop,sackOK>
18:56:50.793680 IP 69.151.202.85.4438 > xx.xx.xxx.xx.http: S 3250718679:3250718679(0) win 65535 <mss 1452,nop,nop,sackOK>
18:56:50.793809 IP xx.xx.xxx.xx.http > 77.241.207.114.powergemplus: P 1:619(618) ack 458 win 6432
18:56:50.798005 IP 77.241.207.114.netaspi > xx.xx.xxx.xx.http: P 1:411(410) ack 1 win 65535
18:56:50.798039 IP xx.xx.xxx.xx.http > 77.241.207.114.netaspi: . ack 411 win 6432
18:56:50.800184 IP xx.xx.xxx.xx.http > 77.241.207.114.suitcase: P 1:619(618) ack 409 win 6432
18:56:50.800232 IP xx.xx.xxx.xx.http > 77.241.207.114.suitcase: F 619:619(0) ack 409 win 6432
18:56:50.801231 IP 220.253.90.13.tdaccess > xx.xx.xxx.xx.http: S 197291250:197291250(0) win 65535 <mss 1412,nop,nop,sackOK>
18:56:50.803565 IP 96.232.117.182.4700 > xx.xx.xxx.xx.22: . ack 13226081 win 65535
18:56:50.804480 IP 189.130.235.161.3366 > xx.xx.xxx.xx.http: . ack 620 win 64917
18:56:50.806386 IP 72.229.211.16.odn-castraq > xx.xx.xxx.xx.http: . ack 1 win 17520
18:56:50.814805 IP xx.xx.xxx.xx.http > 72.229.211.16.odn-castraq: P 1:619(618) ack 435 win 6432
18:56:50.831688 IP 24.177.188.193.cert-responder > xx.xx.xxx.xx.http: S 4117254780:4117254780(0) win 16384 <mss 1460,nop,nop,sackOK>
18:56:50.841242 IP 220.253.90.13.gamelobby > xx.xx.xxx.xx.http: S 1982853801:1982853801(0) win 65535 <mss 1412,nop,nop,sackOK>
18:56:50.841490 IP 207.164.234.193.26571 > xx.xx.xxx.xx.domain: 15807 A? www.target.com. (34)
18:56:50.841690 IP xx.xx.xxx.xx.domain > 207.164.234.193.26571: 15807 0/13/0 (258)
18:56:50.848077 IP 151.203.0.84.53226 > 69.42.220.161.domain: 28721 A? www.target.com. (34)
18:56:50.855042 IP 68.78.196.14.32242 > xx.xx.xxx.xx.http: S 1206070402:1206070402(0) win 65535 <mss 1380,nop,nop,sackOK>
18:56:50.855801 IP 68.57.58.158.dcutility > xx.xx.xxx.xx.http: S 264151458:264151458(0) win 65535 <mss 1460,nop,nop,sackOK>
18:56:50.856812 IP 68.78.196.14.32243 > xx.xx.xxx.xx.http: S 744442180:744442180(0) win 65535 <mss 1380,nop,nop,sackOK>
18:56:50.858330 IP 68.78.196.14.32244 > xx.xx.xxx.xx.http: S 2976743585:2976743585(0) win 65535 <mss 1380,nop,nop,sackOK>
18:56:50.859034 IP xx.xx.xxx.xx.22 > 96.232.117.182.4700: P 13230097:13230277(180) ack 63492 win 24656
18:56:50.859987 IP 68.78.196.14.32245 > xx.xx.xxx.xx.http: S 2491076094:2491076094(0) win 65535 <mss 1380,nop,nop,sackOK>
18:56:50.861670 IP 68.78.196.14.32246 > xx.xx.xxx.xx.http: S 1349303183:1349303183(0) win 65535 <mss 1380,nop,nop,sackOK>
18:56:50.863134 IP 68.78.196.14.32247 > xx.xx.xxx.xx.http: S 3101485962:3101485962(0) win 65535 <mss 1380,nop,nop,sackOK>
18:56:50.866366 IP 207.164.234.129.29936 > xx.xx.xxx.xx.domain: 28800 A? www.target.com. (34)
18:56:50.866566 IP xx.xx.xxx.xx.domain > 207.164.234.129.29936: 28800 0/13/0 (258)
18:56:50.894280 IP 68.117.88.10.mobrien-chat > xx.xx.xxx.xx.http: . ack 620 win 64917
18:56:50.896128 IP 71.185.180.25.63505 > xx.xx.xxx.xx.http: S 735653287:735653287(0) win 16384 <mss 1452,nop,nop,sackOK>
18:56:50.899095 IP 75.38.13.145.snap > xx.xx.xxx.xx.http: S 1311157802:1311157802(0) win 16384 <mss 1452,nop,nop,sackOK>
18:56:50.899780 IP 69.42.220.161.domain > 207.164.234.193.45075: 2813 0/13/0 (258)
18:56:50.900066 IP 75.38.13.145.4753 > xx.xx.xxx.xx.http: S 3234459880:3234459880(0) win 16384 <mss 1452,nop,nop,sackOK>
18:56:50.908808 IP 72.229.211.16.kentrox-prot > xx.xx.xxx.xx.http: . ack 294 win 17228
18:56:50.918054 IP xx.xx.xxx.xx.22 > 96.232.117.182.4700: P 13232901:13233033(132) ack 63492 win 24656
18:56:50.924252 IP 68.117.88.10.objectmanager > xx.xx.xxx.xx.http: S 578176680:578176680(0) win 65535 <mss 1460,nop,nop,sackOK>
18:56:50.924291 IP 68.117.88.10.lam > xx.xx.xxx.xx.http: S 2231712680:2231712680(0) win 65535 <mss 1460,nop,nop,sackOK>
18:56:50.934458 IP xx.xx.xxx.xx.22 > 96.232.117.182.4700: P 13233181:13233361(180) ack 63492 win 24656
18:56:50.936107 IP 68.78.196.14.32248 > xx.xx.xxx.xx.http: S 3928200915:3928200915(0) win 65535 <mss 1380,nop,nop,sackOK>
18:56:50.937628 IP 68.78.196.14.t1distproc60 > xx.xx.xxx.xx.http: S 2041994132:2041994132(0) win 65535 <mss 1380,nop,nop,sackOK>
18:56:50.939548 IP 68.78.196.14.32250 > xx.xx.xxx.xx.http: S 521904500:521904500(0) win 65535 <mss 1380,nop,nop,sackOK>
18:56:50.941318 IP 68.78.196.14.32251 > xx.xx.xxx.xx.http: S 611760408:611760408(0) win 65535 <mss 1380,nop,nop,sackOK>
18:56:50.942848 IP 68.78.196.14.32252 > xx.xx.xxx.xx.http: S 2089580458:2089580458(0) win 65535 <mss 1380,nop,nop,sackOK>
18:56:50.944441 IP 68.78.196.14.32253 > xx.xx.xxx.xx.http: S 1721285514:1721285514(0) win 65535 <mss 1380,nop,nop,sackOK>
18:56:50.951716 IP 24.177.188.193.kermit > xx.xx.xxx.xx.http: S 1680505816:1680505816(0) win 16384 <mss 1460,nop,nop,sackOK>
18:56:51.000743 IP 65.31.80.121.rpi > xx.xx.xxx.xx.http: S 2592115444:2592115444(0) win 16384 <mss 1460,nop,nop,sackOK>
18:56:51.005559 IP 71.185.180.25.63506 > xx.xx.xxx.xx.http: S 3792328349:3792328349(0) win 16384 <mss 1452,nop,nop,sackOK>
18:56:51.030287 IP 72.178.92.78.4579 > xx.xx.xxx.xx.http: S 1480725347:1480725347(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,sackOK>
18:56:51.033039 IP 71.237.89.217.vrts-ipcserver > xx.xx.xxx.xx.http: S 1220670807:1220670807(0) win 65535 <mss 1460,nop,nop,sackOK>
18:56:51.034705 IP 72.178.92.78.4580 > xx.xx.xxx.xx.http: S 2242214358:2242214358(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,sackOK>
18:56:51.039480 IP 72.178.92.78.4583 > xx.xx.xxx.xx.http: S 2908232721:2908232721(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,sackOK>
18:56:51.059826 IP xx.xx.xxx.xx.22 > 96.232.117.182.4700: P 13235165:13235345(180) ack 63492 win 24656
18:56:51.059915 IP xx.xx.xxx.xx.22 > 96.232.117.182.4700: P 13235345:13235525(180) ack 63492 win 24656
18:56:51.059992 IP xx.xx.xxx.xx.22 > 96.232.117.182.4700: P 13235525:13235705(180) ack 63492 win 24656
18:56:51.060068 IP xx.xx.xxx.xx.22 > 96.232.117.182.4700: P 13235705:13235885(180) ack 63492 win 24656
18:56:51.064313 IP xx.xx.xxx.xx.http > 68.117.88.10.cdfunc: S 1551669180:1551669180(0) ack 1933591694 win 5840 <mss 1460,nop,nop,sackOK>
18:56:51.072636 IP xx.xx.xxx.xx.22 > 96.232.117.182.4700: P 13236477:13236657(180) ack 63492 win 24656
18:56:51.089537 IP 195.14.162.70.14704 > xx.xx.xxx.xx.http: S 805985261:805985261(0) win 65535 <mss 1460,nop,nop,sackOK>
18:56:51.110474 IP 76.109.41.19.h323gatedisc > xx.xx.xxx.xx.http: S 1026807755:1026807755(0) win 65535 <mss 1460,nop,wscale 3,nop,nop,sackOK>
18:56:51.118014 IP xx.xx.xxx.xx.http > 213.96.24.94.3324: . ack 415 win 6432
18:56:51.120619 IP xx.xx.xxx.xx.22 > 96.232.117.182.4700: P 13236657:13236805(148) ack 63492 win 24656
18:56:51.120736 IP xx.xx.xxx.xx.22 > 96.232.117.182.4700: P 13236805:13236969(164) ack 63492 win 24656
18:56:51.120803 IP 69.42.220.161.domain > 207.164.234.129.54937: 13237 0/13/0 (258)
18:56:51.123580 IP 213.96.24.94.bbars > xx.xx.xxx.xx.http: S 188392623:188392623(0) win 65535 <mss 1460,nop,nop,sackOK>
18:56:51.131412 IP xx.xx.xxx.xx.http > 213.96.24.94.mcs-calypsoicf: S 1545713980:1545713980(0) ack 1081956958 win 5840 <mss 1460,nop,nop,sackOK>
18:56:51.132756 IP xx.xx.xxx.xx.http > 213.96.24.94.mcs-messaging: S 1549720806:1549720806(0) ack 4096681441 win 5840 <mss 1460,nop,nop,sackOK>
18:56:51.136802 IP 68.117.88.10.sdfunc > xx.xx.xxx.xx.http: . ack 1 win 65535

Code:



Looks like a HTTP Get flood, can anyone confirm, and any advice on how to mitigate it fully?


Thanks



tcpdump.txt
 Description:

Download
 Filename:  tcpdump.txt
 Filesize:  18.47 KB
 Downloaded:  41 Time(s)
Back to top
View users profile Send private message
StopDDoS

Corporal
Corporal


Joined: Oct 02, 2007
Posts: 51
Location: USA
PostPosted: Fri Aug 29, 2008 5:53 pm    Post subject:
Reply with quote

Can you provide a clean list of just attacking IPs please
Back to top
View users profile Send private message
ahoier

SIRT Handler


Joined: Jan 14, 2006
Posts: 1118
Location: USA
PostPosted: Sat Aug 30, 2008 10:23 pm    Post subject:
Reply with quote

If you haven't seen it yet, you may also want to check out this thread, CastleCops Link/t225696-How_to_STOP_SMTP_and_other_DDoS_Attacks.html

Provides well-documented instructions and a script/tool to create blocklists for use in Peerguardian2/peerguardianLite (or on Linux, Moblock, or other capable IP filter).


Though I've not tested it, the concept seems like it could/would work.
Back to top
View users profile Send private message Visit posters website AIM Address Yahoo Messenger MSN Messenger
s0tet

PIRT Handler


Joined: May 21, 2005
Posts: 2976

Phishing Squad

PostPosted: Sun Aug 31, 2008 3:39 am    Post subject:
Reply with quote

Hope your site gets back online soon. If you get it resolved, please let us know how. Good luck.
Back to top
View users profile Send private message Send email
StopDDoS

Corporal
Corporal


Joined: Oct 02, 2007
Posts: 51
Location: USA
PostPosted: Sun Aug 31, 2008 4:36 pm    Post subject:
Reply with quote

I only make 39 IPs there. Could you take a longer TCPdump.

Thanks

Tom
Back to top
View users profile Send private message
StopDDoS

Corporal
Corporal


Joined: Oct 02, 2007
Posts: 51
Location: USA
PostPosted: Wed Sep 03, 2008 10:39 am    Post subject:
Reply with quote

For your information a more accurate way of helping people like us help people like you would be to do the following:

The best Linux command line for DDoS forensics is:

tcpdump -i eth0 -s 1700 -w YourFileName

For windows you can do the same with windump

We also require your Apache Access and Error Logs from the same time frame as the TcpDump. This is helpful in specific types of attacks such as http-get floods.
Back to top
View users profile Send private message
Display posts from previous:   
Post new topic   Reply to topic       All -> FavForums -> DDoS All times are GMT
Page 1 of 1

 
Quick Reply:
Username: 

Quote the last message
Attach signature (signatures can be changed in profile)
 
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001 phpBB Group
2002-2008 © Computer Cops LLC dba CastleCops®. All rights reserved.
Acceptable Use Policy. Use signifies your agreement.
163ppm 0.870s (0.089s)
Making cybercriminals unhappy since 2002*
In Memory of Trpm
spacer spacer