On Fri 5-May-2000 2:09a, [EMAIL PROTECTED] wrote: p> I hope someone here has any clue or suggestion about the following. For p> quite some days now I am having problems while chatting on IRC, a user p> there doesn't seem to like me and floods me offline everytime he sees p> me. He uses Linux behind a firewall and seems to know quite some stuff p> (some say he's a hacker). Anyway, for what I have seen, he sends lots of p> packets to my connection, overloading it thus. Miami detects a ping p> flood (and ignores the pings I guess) but still I end up disconnected, p> the modem (TKR TriStar V34 28.8) goes crazy. p> Well, is there any way to protect myself against such flood attacks ? I p> use Miami3.2b, and have thought about adding the IPs he floods from to p> the IP-Filter, but it seems they differ every time he does so, and apart p> that would not really help to keep my line clean, no ? The attacks don't p> go through IRC, since AmIRC doesn't detect any floods. I am quite p> helpless here and hope I had an ADSL connection. p> I will EMail my ISP also and ask them for advice, but until then... I am p> not sure if they can get to that person, since even when on IRC he seems p> to hide his real IP address. There is little this guy can do... He can change his identity... Being sure to change every single bit of info displayed via the available IRC commands such as whois, who, userhost, etc. (he would need to change his user info such as ident/user id, his real name, finger reply, as well as his nick. Then set himself +i(invisible) and avoid channels the 'hacker' hangs out in. Or he could find a different IRC network entirely (Hey, I suggestion irc.exodusirc.net.. hahah blatent plug) If the victim uses a static IP, and the flooder remembers it, he can be flooded anytime he wants. And doesn't even have to find him on IRC. The victim can take any logs he has of the the guy threatening him, as well as copies of his miami logs, and mail them to his own ISP, in addition to abuse@, admin@, root@, etc at the flooder's ISP, asking them for their cooperation in dealing with the problem. I have done the following successufully a few dozen times over the years. If the flooder is spoofing his packets, miami's logging will not cut it. He could setup a linux firewall in front of his Amiga, and use one of the iploggers on freshmeat, and see the real origin. (http://ojnk.sourceforge.net, http://www.ifi.unizh.ch/ikm/SINUS/firewall/download.html, etc...) As far as protecting himself against this type of attack though, it's simply not possible. If he's on a dialup, it's easy to saturate his connection with packets. No firewalling will stop that. If the victim is using a static connection, he could ask his ISP to block ICMPs at their facility. That will stop that kind of attact. Incidently, the guy claiming to be a hacker is more than likely using CLICK*, which is designed to specifically unreach him from his IRC server. Have him use an unusual port to connect to the IRC server because if he uses 6667 all the time, it makes it all the easier for the little 'hacker' to accomplish his goal. Oh, and one last thing he might try... In the event the little 'hacker' actually does have 'skillz' and is successfully concealing his identity by using vhosts while on IRC, and spoofing packets, it might just be worth it to try and become 'friends'. Settle their differences, and try not to set the guy off. Wish him luck for me, I know how wankers like that can ruin a person's day... John DR. John M. Hoyt / AKA Warren Peace - amicon.net SysAdmin WarNPeace - C-Link! International Coordinator - ZenMetal/CNet Alpha Team Find me on irc.reefer.org - ExodusIRC.Net Admin __________________________________________________________ AmIRC Mailing List - Info & Archive: http://www.vapor.com/ For Listserver Help: <[EMAIL PROTECTED]>, "HELP" To Unsubscribe: <[EMAIL PROTECTED]>, "UNSUBSCRIBE"
