Since the IP range seems to belong to (
would send an E-mail to them. The scanning back has worked for me as
well BUT be carefull or you might be labled the bad one. Normaly I
always poke back just to see who they are and e-mail the host if it
becomes a problem. Also if you are using DSL with a CISCO 675 / 678
there are tools and patchs that can filter out most DDOS attacks.

Here's some reading. You'll notice he's running some interesting
Services and will find the http site is blocked. If you dig some more
you'll find other interesting things as well. And no I am not and do not
condone hacking just investigating<g>

Starting nmap V. 3.00 ( )
No tcp,udp, or ICMP scantype specified, assuming SYN Stealth scan. Use
-sP if you really don't want to portscan (and just want to see what
hosts are up).
Host ( appears to be up ... good.
Initiating SYN Stealth Scan against
Adding open port 80/tcp
Adding open port 514/tcp
Adding open port 554/tcp
Adding open port 23/tcp
Adding open port 8080/tcp
Adding open port 3128/tcp
Adding open port 53/tcp
Bumping up senddelay by 10000 (to 10000), due to excessive drops
Bumping up senddelay by 20000 (to 30000), due to excessive drops
Bumping up senddelay by 30000 (to 60000), due to excessive drops
The SYN Stealth Scan took 225 seconds to scan 1601 ports.
Interesting ports on (
(The 1577 ports scanned but not shown below are in state: closed)
Port       State       Service
23/tcp     open        telnet
53/tcp     open        domain
71/tcp     filtered    netrjs-1
74/tcp     filtered    netrjs-4
80/tcp     open        http
112/tcp    filtered    mcidas
314/tcp    filtered    opalis-robot
341/tcp    filtered    unknown
514/tcp    open        shell
535/tcp    filtered    iiop
551/tcp    filtered    cybercash
554/tcp    open        rtsp
574/tcp    filtered    ftp-agent
597/tcp    filtered    ptcnameservice
632/tcp    filtered    unknown
643/tcp    filtered    unknown
683/tcp    filtered    unknown
785/tcp    filtered    unknown
819/tcp    filtered    unknown
950/tcp    filtered    oftep-rpc
1380/tcp   filtered    telesis-licman
1652/tcp   filtered    xnmp
3128/tcp   open        squid-http
8080/tcp   open        http-proxy

-----Original Message-----
[mailto:[EMAIL PROTECTED]] On Behalf Of Sean J.
Sent: Sunday, January 05, 2003 5:04 PM
To: FreeBSD Questions; Michael
Subject: RE: DOS ATTACK. Any Suggestions?

> As soon as my site gets big and i have a
>lot of users in irc, some little jealous network comes along and 
>destroys what i worked on. The last time this happened my ISP shut ME 
>off because it took out one of their facilities.

I think this is your core problem...  In all my years working tech
support, I've seen that the vast majority of people being DOSed fall
into three categories, Child Porn, Spammers, and IRC.  If you run IRC,
you will be DOSed by some snot nosed script kiddie.  You are 100%
correct in your assessment of their mentality, they basically find the
only place where they can be "the man" is behind a keyboard, the sad
thing is most of them don't have the slightest idea about the code
behind their tools, they just know how to run them.  The only way to get
rid of a DOS attack is to either ride it out until they get bored, or
contact your host and ask their network engineers to null route the
source IP's that are sending to you.  You could use IPFW to block those
network packets at your kernel level, but by then the packets have
already came down the wire to your server and have already affected you.
If the network techs can null route the DOS upstream of you, then you
should be able to remain online.  Good Luck.

One last thing, I had some fool trying to DOS me once from his own IP
address.  I simply portscanned him with Nmap and suddenly he just
blinked off line.  I guess it scared him sufficiently to go to sleep.

- Sean

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message

Reply via email to