Hi all, Well, don't I feel "special" - we're being hit with the first DDoS in company history. While I'm no stranger to what they're about, I've never actually experienced one before. I'm aware of how most of them have an IRC command channel, and that without reverse-hacking and potentially breaking some laws I won't be able to determine the source.
Initially, to get the site back up, I ended up blocking APNIC, RIPE, etc (anything not ARIN), which worked, but we do some international sales, so that's not a long term solution. For phase 2, I hacked a quick script that examines our webservers' last 20K Apache log entries, and looked for the behavior of hitting the home page > 100 times without hitting any other pages in those 20K entries. I then wrote an expect script that takes those IP's and adds them to the shun list on our ASA's. This is working for now, and our shun list is at 5K IP's and growing. However, my script has some inherent latency in it, and is not what I'd call "production material". It was hacked together at 3am and I'm shocked it even runs at all. So, with that in mind, how do people who see these type of things frequently deal with them? Another company we deal with has recommended we get in touch with RioRey and Radware -- I've never dealt with either of them. In fact, I hadn't even heard of RioRey until today. Also, are there any "known zombie" blacklists out there that are fairly reputable? Sorry if I'm rambling, but I'm running on caffeine and cold medications at this point. I'd love any tips/pointers anyone of you could share. Justin
_______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
