Re: Request for contact and procedure information
All, There are few if any ISP that will help you with something like this. Law enforcement also does not have the resources to even begin to look at a single DSL line being attacked unless you can show 7+ figures in damage or some type of major threat to national infrastructure. Your options are basically as follows: 1) Use csf . If properly tuned this should be sufficient to filter minor attacks. 2) Invest in a decent firewall like a Juniper Netscreen and set session limits. This won't stop an attack but it will limit the amount of traffic you have to filter locally. 3) Ask SBC to null route the IP completely 4) Invest in an actual protection service. Jeff On Fri, Jul 10, 2009 at 12:02 AM, Jon Kiblerjon.kib...@aset.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jon Kibler wrote: Charles Wyble wrote: All, I'm currently experiencing a DDOS attack on my home DSL connection. Thousands of requests to port 80. I'm on an SBC business class account. I'm guessing that calling the regular customer support won't get me anywhere. Any suggestions? Okay, this is going to sound REALLY lame, but IMHO it may be your best bet to get action from SBC: 1) File a police report with your local law enforcement agency and (CRITICAL) get a case number. (You should have well documented when the attack started, too. If asked why you waited so long to report it, explain that you were not familiar with procedures. You may also be asked what you have that someone wants to attack. I don't know is an acceptable answer, if that is the truth.) When local law enforcement completes taking the report, request that your local law enforcement escalate the case to the local/regional FBI office (specifically mention InfraGuard). 2) Call your local FBI office and ask to speak to the InfraGuard coordinator. (If it is a small office, they may refer you to your regional office.) Tell them you are being DDOSed, that you have filed a report with local law enforcement (give them agency and case number), tell them who is your ISP and contact information, and tell them ISP has been uncooperative at resolution. Ask them can they please help -- at a minimum, can they contact the ISP and get them to start null routing DDOS traffic. Just out of curiosity, do you have any traffic capture? If so, what type of attack is it? SYN flood, Apache instance starvation, etc.? You may want to do some packet capture for hand-over to law enforcement. I know this sounds lame, but I also CONSTANTLY hear from InfraGuard that they want to be informed of these types of attacks, and they will help when resources permit. Don't expect miracles. But it is better than nothing. Finally, document, document, document!!! Jon I hate to reply to my own email... but as soon as I hit SEND, I realized I left off something important... You said you have Business Class DSL. Is this for a business? If so, have your lawyer contact SBC. S/he should request to talk with the department manager for small business services. That, too, may help get action. Be sure to provide him/her with written documentation on everything you can regarding the attack. The more information that s/he has, the better to beat up on SBC with. Finally, what does your TOS/SLA say about DDoS? Most have something to say about ISP liability in the mitigation of such attacks. GOOD LUCK! Jon - -- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC USA o: 843-849-8214 c: 843-813-2924 (NEW!) s: 843-564-4224 http://www.linkedin.com/in/jonrkibler My PGP Fingerprint is: BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkpWvU0ACgkQUVxQRc85QlO21wCffh5vK5V39ffWJGZPgoA4a9ii RpcAnjdVCx4l693Pw6vYz58xjZt//Cdx =UTXU -END PGP SIGNATURE- == Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email. -- Jeffrey Lyon, Leadership Team jeffrey.l...@blacklotus.net | http://www.blacklotus.net Black Lotus Communications of The IRC Company, Inc. Look for us at HostingCon 2009 in Washington, DC on August 10th - 12th at Booth #401.
Re: Request for contact and procedure information
Jeffrey Lyon wrote: All, There are few if any ISP that will help you with something like this. Law enforcement also does not have the resources to even begin to look at a single DSL line being attacked unless you can show 7+ figures in damage or some type of major threat to national infrastructure. Your options are basically as follows: 1) Use csf . If properly tuned this should be sufficient to filter minor attacks. 2) Invest in a decent firewall like a Juniper Netscreen and set session limits. This won't stop an attack but it will limit the amount of traffic you have to filter locally. 3) Ask SBC to null route the IP completely 4) Invest in an actual protection service. Last time I had to deal with a DDoS coming over a Sprint circuit (multilink T1) they transferred me to someone in security and they started null routing things. Initially they were treating it as trouble because the BGP session kept resetting, but once we all figured out it was a DDoS the resolution was quick and painless. Maybe my experience is abnormal? I don't know. ~Seth
Re: Request for contact and procedure information
Seth Mattinen wrote: Dan White wrote: Have you spoken with your provider? They should be giving you options, like changing your static address, or null routing the attackers upstream, or perhaps blocking port 80 to you, to limit your ingress traffic. For DSL? I've never had that kind of luck with SBC's (now ATT) home products, and I've been using their DSL since 2001. This is one instance where paying the big bucks for at least a T1 can show some some return. Even if it's business DSL it's still treated the same as drooling user DSL. Purely my personal experience. ~Seth I guess complaining that your provider won't do anything to help you, and not calling them to find out otherwise is a self fulfilling prophecy. - Dan
Re: Request for contact and procedure information
I spoke with SBC. 2 hours on the phone (all with US based support which was awesome) came down to e-mail ab...@sbcglobal.net. I'll let everyone know how it goes.
Re: Request for contact and procedure information
Dan White wrote: Seth Mattinen wrote: Dan White wrote: Have you spoken with your provider? They should be giving you options, like changing your static address, or null routing the attackers upstream, or perhaps blocking port 80 to you, to limit your ingress traffic. For DSL? I've never had that kind of luck with SBC's (now ATT) home products, and I've been using their DSL since 2001. This is one instance where paying the big bucks for at least a T1 can show some some return. Even if it's business DSL it's still treated the same as drooling user DSL. Purely my personal experience. ~Seth I guess complaining that your provider won't do anything to help you, and not calling them to find out otherwise is a self fulfilling prophecy. Can you read? Did I say that? ~Seth
Re: Request for contact and procedure information
Seth Mattinen wrote: Dan White wrote: Seth Mattinen wrote: Dan White wrote: Have you spoken with your provider? They should be giving you options, like changing your static address, or null routing the attackers upstream, or perhaps blocking port 80 to you, to limit your ingress traffic. For DSL? I've never had that kind of luck with SBC's (now ATT) home products, and I've been using their DSL since 2001. This is one instance where paying the big bucks for at least a T1 can show some some return. Even if it's business DSL it's still treated the same as drooling user DSL. Purely my personal experience. ~Seth I guess complaining that your provider won't do anything to help you, and not calling them to find out otherwise is a self fulfilling prophecy. Can you read? Did I say that? ~Seth Seth, This was obviously not a response to you, but to the original poster. - Dan
Re: Request for contact and procedure information
Dan White wrote: Seth Mattinen wrote: Dan White wrote: Seth Mattinen wrote: Dan White wrote: Have you spoken with your provider? They should be giving you options, like changing your static address, or null routing the attackers upstream, or perhaps blocking port 80 to you, to limit your ingress traffic. For DSL? I've never had that kind of luck with SBC's (now ATT) home products, and I've been using their DSL since 2001. This is one instance where paying the big bucks for at least a T1 can show some some return. Even if it's business DSL it's still treated the same as drooling user DSL. Purely my personal experience. ~Seth I guess complaining that your provider won't do anything to help you, and not calling them to find out otherwise is a self fulfilling prophecy. Can you read? Did I say that? ~Seth Seth, This was obviously not a response to you, but to the original poster. Sorry, I read that as a response to my message. ~Seth
Re: Request for contact and procedure information
On Fri, Jul 10, 2009 at 2:11 AM, Jeffrey Lyonjeffrey.l...@blacklotus.net wrote: All, There are few if any ISP that will help you with something like this. coughuunet/vzb would/will/cough (for free most times even)
Re: Request for contact and procedure information
Would what? Null route the IP? I'm talking about actually filtering the attack. Jeff On Jul 10, 2009 5:10 PM, Christopher Morrow morrowc.li...@gmail.com wrote: On Fri, Jul 10, 2009 at 2:11 AM, Jeffrey Lyonjeffrey.l...@blacklotus.net wrote: All, There a... coughuunet/vzb would/will/cough (for free most times even)
Re: Request for contact and procedure information
On Fri, Jul 10, 2009 at 5:12 PM, Jeffrey Lyonjeffrey.l...@blacklotus.net wrote: Would what? Null route the IP? I'm talking about actually filtering the attack. as was I. (talking about filtering the attack) On Jul 10, 2009 5:10 PM, Christopher Morrow morrowc.li...@gmail.com wrote: On Fri, Jul 10, 2009 at 2:11 AM, Jeffrey Lyonjeffrey.l...@blacklotus.net wrote: All, There a... coughuunet/vzb would/will/cough (for free most times even)
RE: Request for contact and procedure information
Filter like in using the Cisco Guard of sort, to send the good traffic back to the customers? And that service is coughfree through vzb?/cough -- Luan Nguyen Chesapeake NetCraftsmen, LLC. [Web] http://www.netcraftsmen.net -- -Original Message- From: Christopher Morrow [mailto:morrowc.li...@gmail.com] Sent: Friday, July 10, 2009 5:40 PM To: Jeffrey Lyon Cc: nanog@nanog.org; Charles Wyble Subject: Re: Request for contact and procedure information On Fri, Jul 10, 2009 at 5:12 PM, Jeffrey Lyonjeffrey.l...@blacklotus.net wrote: Would what? Null route the IP? I'm talking about actually filtering the attack. as was I. (talking about filtering the attack) On Jul 10, 2009 5:10 PM, Christopher Morrow morrowc.li...@gmail.com wrote: On Fri, Jul 10, 2009 at 2:11 AM, Jeffrey Lyonjeffrey.l...@blacklotus.net wrote: All, There a... coughuunet/vzb would/will/cough (for free most times even)
Re: Request for contact and procedure information
On Fri, Jul 10, 2009 at 5:49 PM, Luan Nguyenl...@netcraftsmen.net wrote: Filter like in using the Cisco Guard of sort, to send the good traffic back to the customers? And that service is coughfree through vzb?/cough as in: find some way to keep the customer alive and kicking which might be: 1) null route bad destination if no one cares about it 2) acl the traffic upstream if it's not to something you care about (but need the ip to work) 3) guard/mitigate traffic and redeliver (which has some limitations or did) all of that is free to 701 customers, yes. if you have to get to step3 more than a few times I'm sure sales will want you to pay, since that part isn't 'free' to the company. point being, dropping tcp/80 syn traffic isn't hard, and it's routinely done at customer request. (or was when I was doing it there) -chris -- -Original Message- From: Christopher Morrow [mailto:morrowc.li...@gmail.com] Sent: Friday, July 10, 2009 5:40 PM To: Jeffrey Lyon Cc: nanog@nanog.org; Charles Wyble Subject: Re: Request for contact and procedure information On Fri, Jul 10, 2009 at 5:12 PM, Jeffrey Lyonjeffrey.l...@blacklotus.net wrote: Would what? Null route the IP? I'm talking about actually filtering the attack. as was I. (talking about filtering the attack) On Jul 10, 2009 5:10 PM, Christopher Morrow morrowc.li...@gmail.com wrote: On Fri, Jul 10, 2009 at 2:11 AM, Jeffrey Lyonjeffrey.l...@blacklotus.net wrote: All, There a... coughuunet/vzb would/will/cough (for free most times even)
Re: Request for contact and procedure information
Fact: Filtering TCP/80 attacks is a 3 to 4 figure job, sometimes even 5 figure. Jeff On Fri, Jul 10, 2009 at 6:16 PM, Christopher Morrowmorrowc.li...@gmail.com wrote: On Fri, Jul 10, 2009 at 5:49 PM, Luan Nguyenl...@netcraftsmen.net wrote: Filter like in using the Cisco Guard of sort, to send the good traffic back to the customers? And that service is coughfree through vzb?/cough as in: find some way to keep the customer alive and kicking which might be: 1) null route bad destination if no one cares about it 2) acl the traffic upstream if it's not to something you care about (but need the ip to work) 3) guard/mitigate traffic and redeliver (which has some limitations or did) all of that is free to 701 customers, yes. if you have to get to step3 more than a few times I'm sure sales will want you to pay, since that part isn't 'free' to the company. point being, dropping tcp/80 syn traffic isn't hard, and it's routinely done at customer request. (or was when I was doing it there) -chris -- -Original Message- From: Christopher Morrow [mailto:morrowc.li...@gmail.com] Sent: Friday, July 10, 2009 5:40 PM To: Jeffrey Lyon Cc: nanog@nanog.org; Charles Wyble Subject: Re: Request for contact and procedure information On Fri, Jul 10, 2009 at 5:12 PM, Jeffrey Lyonjeffrey.l...@blacklotus.net wrote: Would what? Null route the IP? I'm talking about actually filtering the attack. as was I. (talking about filtering the attack) On Jul 10, 2009 5:10 PM, Christopher Morrow morrowc.li...@gmail.com wrote: On Fri, Jul 10, 2009 at 2:11 AM, Jeffrey Lyonjeffrey.l...@blacklotus.net wrote: All, There a... coughuunet/vzb would/will/cough (for free most times even) -- Jeffrey Lyon, Leadership Team jeffrey.l...@blacklotus.net | http://www.blacklotus.net Black Lotus Communications of The IRC Company, Inc. Look for us at HostingCon 2009 in Washington, DC on August 10th - 12th at Booth #401.
Re: Request for contact and procedure information
On Fri, Jul 10, 2009 at 11:06 PM, Jeffrey Lyonjeffrey.l...@blacklotus.net wrote: I don't know of any internet access services that provide a SLA against DDoS. vzb/mci/uunet used to, there is (I believe) still a 'response' SLA, and there was an SLA for their dos-mitigation service as well...likely somewhere off: http://www.verizonbusiness.com/us/products/security/managed/#services-dos I was actually talking about an SLA for his link though, not for dos-mitigation services. There used to be, and still is in some networks, the thought that consumer grade services were essentially 'un-SLA''d, while 'business class' services had some form of 'uptime' SLA associated with them. So, folks that telework often subscribe to 'business dsl' in order to get more guaranteed availabilty, lack of port filtering, static-ips, etc. -Chris Jeff On Fri, Jul 10, 2009 at 10:57 PM, Christopher Morrowmorrowc.li...@gmail.com wrote: On Fri, Jul 10, 2009 at 6:38 PM, Jeffrey Lyonjeffrey.l...@blacklotus.net wrote: Fact: Filtering TCP/80 attacks is a 3 to 4 figure job, sometimes even 5 figure. I was actually being serious, it's not, it doesn't have to, and in the case that started this discussion it probably would have been sufficient to just drop tcp/80 to his link since I would be it's 'business dsl' so he gets an 'SLA' not so he can run a business critical web service there. There are services you can buy that are a lot more expensive, but why would you? if there are options that are more relevant and cheaper... and in line with what you want. You can certainly pay more if you want to, I'm not sure that's the smart choice though. -Chris On Fri, Jul 10, 2009 at 6:16 PM, Christopher Morrowmorrowc.li...@gmail.com wrote: On Fri, Jul 10, 2009 at 5:49 PM, Luan Nguyenl...@netcraftsmen.net wrote: Filter like in using the Cisco Guard of sort, to send the good traffic back to the customers? And that service is coughfree through vzb?/cough as in: find some way to keep the customer alive and kicking which might be: 1) null route bad destination if no one cares about it 2) acl the traffic upstream if it's not to something you care about (but need the ip to work) 3) guard/mitigate traffic and redeliver (which has some limitations or did) all of that is free to 701 customers, yes. if you have to get to step3 more than a few times I'm sure sales will want you to pay, since that part isn't 'free' to the company. point being, dropping tcp/80 syn traffic isn't hard, and it's routinely done at customer request. (or was when I was doing it there) -chris -- -Original Message- From: Christopher Morrow [mailto:morrowc.li...@gmail.com] Sent: Friday, July 10, 2009 5:40 PM To: Jeffrey Lyon Cc: nanog@nanog.org; Charles Wyble Subject: Re: Request for contact and procedure information On Fri, Jul 10, 2009 at 5:12 PM, Jeffrey Lyonjeffrey.l...@blacklotus.net wrote: Would what? Null route the IP? I'm talking about actually filtering the attack. as was I. (talking about filtering the attack) On Jul 10, 2009 5:10 PM, Christopher Morrow morrowc.li...@gmail.com wrote: On Fri, Jul 10, 2009 at 2:11 AM, Jeffrey Lyonjeffrey.l...@blacklotus.net wrote: All, There a... coughuunet/vzb would/will/cough (for free most times even) -- Jeffrey Lyon, Leadership Team jeffrey.l...@blacklotus.net | http://www.blacklotus.net Black Lotus Communications of The IRC Company, Inc. Look for us at HostingCon 2009 in Washington, DC on August 10th - 12th at Booth #401. -- Jeffrey Lyon, Leadership Team jeffrey.l...@blacklotus.net | http://www.blacklotus.net Black Lotus Communications of The IRC Company, Inc. Look for us at HostingCon 2009 in Washington, DC on August 10th - 12th at Booth #401.
Re: Request for contact and procedure information
I don't know of any internet access services that provide a SLA against DDoS. Jeff On Fri, Jul 10, 2009 at 10:57 PM, Christopher Morrowmorrowc.li...@gmail.com wrote: On Fri, Jul 10, 2009 at 6:38 PM, Jeffrey Lyonjeffrey.l...@blacklotus.net wrote: Fact: Filtering TCP/80 attacks is a 3 to 4 figure job, sometimes even 5 figure. I was actually being serious, it's not, it doesn't have to, and in the case that started this discussion it probably would have been sufficient to just drop tcp/80 to his link since I would be it's 'business dsl' so he gets an 'SLA' not so he can run a business critical web service there. There are services you can buy that are a lot more expensive, but why would you? if there are options that are more relevant and cheaper... and in line with what you want. You can certainly pay more if you want to, I'm not sure that's the smart choice though. -Chris On Fri, Jul 10, 2009 at 6:16 PM, Christopher Morrowmorrowc.li...@gmail.com wrote: On Fri, Jul 10, 2009 at 5:49 PM, Luan Nguyenl...@netcraftsmen.net wrote: Filter like in using the Cisco Guard of sort, to send the good traffic back to the customers? And that service is coughfree through vzb?/cough as in: find some way to keep the customer alive and kicking which might be: 1) null route bad destination if no one cares about it 2) acl the traffic upstream if it's not to something you care about (but need the ip to work) 3) guard/mitigate traffic and redeliver (which has some limitations or did) all of that is free to 701 customers, yes. if you have to get to step3 more than a few times I'm sure sales will want you to pay, since that part isn't 'free' to the company. point being, dropping tcp/80 syn traffic isn't hard, and it's routinely done at customer request. (or was when I was doing it there) -chris -- -Original Message- From: Christopher Morrow [mailto:morrowc.li...@gmail.com] Sent: Friday, July 10, 2009 5:40 PM To: Jeffrey Lyon Cc: nanog@nanog.org; Charles Wyble Subject: Re: Request for contact and procedure information On Fri, Jul 10, 2009 at 5:12 PM, Jeffrey Lyonjeffrey.l...@blacklotus.net wrote: Would what? Null route the IP? I'm talking about actually filtering the attack. as was I. (talking about filtering the attack) On Jul 10, 2009 5:10 PM, Christopher Morrow morrowc.li...@gmail.com wrote: On Fri, Jul 10, 2009 at 2:11 AM, Jeffrey Lyonjeffrey.l...@blacklotus.net wrote: All, There a... coughuunet/vzb would/will/cough (for free most times even) -- Jeffrey Lyon, Leadership Team jeffrey.l...@blacklotus.net | http://www.blacklotus.net Black Lotus Communications of The IRC Company, Inc. Look for us at HostingCon 2009 in Washington, DC on August 10th - 12th at Booth #401. -- Jeffrey Lyon, Leadership Team jeffrey.l...@blacklotus.net | http://www.blacklotus.net Black Lotus Communications of The IRC Company, Inc. Look for us at HostingCon 2009 in Washington, DC on August 10th - 12th at Booth #401.
Re: Request for contact and procedure information
Charles; SBC belongs to ATT which has a ddos mitigation offering http://www.business.att.com/content/productbrochures/PB-DDoS_16651_v1_6-27-08.pdf Verizon also has such an offering under Managed Services Security Solutions Powered by Cybertrust a company they bought http://www.verizonbusiness.com/us/products/security/managed/#services-dos From: Charles Wyble char...@thewybles.com To: nanog@nanog.org nanog@nanog.org Sent: Thursday, July 9, 2009 2:35:14 PM Subject: Request for contact and procedure information All, I'm currently experiencing a DDOS attack on my home DSL connection. Thousands of requests to port 80. I'm on an SBC business class account. I'm guessing that calling the regular customer support won't get me anywhere. Any suggestions?
Re: Request for contact and procedure information
Charles, You're going to need an enterprise grade DDoS protection provider and should expect to spend anywhere from hundreds to thousands per month for this service. This is not a service the majority of transit providers are capable of offering. Best regards, Jeff On Thu, Jul 9, 2009 at 5:35 PM, Charles Wyblechar...@thewybles.com wrote: All, I'm currently experiencing a DDOS attack on my home DSL connection. Thousands of requests to port 80. I'm on an SBC business class account. I'm guessing that calling the regular customer support won't get me anywhere. Any suggestions? -- Jeffrey Lyon, Leadership Team jeffrey.l...@blacklotus.net | http://www.blacklotus.net Black Lotus Communications of The IRC Company, Inc. Look for us at HostingCon 2009 in Washington, DC on August 10th - 12th at Booth #401.
Re: Request for contact and procedure information
Turn off your DSL modem for awhile, and hope for a new dynamic IP? Mark On Thu, Jul 9, 2009 at 5:35 PM, Charles Wyblechar...@thewybles.com wrote: All, I'm currently experiencing a DDOS attack on my home DSL connection. Thousands of requests to port 80. I'm on an SBC business class account. I'm guessing that calling the regular customer support won't get me anywhere. Any suggestions?
Re: Request for contact and procedure information
Turn off whatever you have listening on port 80. On Thu, 9 Jul 2009 21:25:48 -0400 Mark Price mpr...@tqhosting.com wrote: Turn off your DSL modem for awhile, and hope for a new dynamic IP? Mark On Thu, Jul 9, 2009 at 5:35 PM, Charles Wyblechar...@thewybles.com wrote: All, I'm currently experiencing a DDOS attack on my home DSL connection. Thousands of requests to port 80. I'm on an SBC business class account. I'm guessing that calling the regular customer support won't get me anywhere. Any suggestions?
Re: Request for contact and procedure information
I have a static range. :( Mark Price wrote: Turn off your DSL modem for awhile, and hope for a new dynamic IP? Mark
Re: Request for contact and procedure information
I did. Still getting pounded. John Peach wrote: Turn off whatever you have listening on port 80. On Thu, 9 Jul 2009 21:25:48 -0400 Mark Price mpr...@tqhosting.com wrote: Turn off your DSL modem for awhile, and hope for a new dynamic IP? Mark On Thu, Jul 9, 2009 at 5:35 PM, Charles Wyblechar...@thewybles.com wrote: All, I'm currently experiencing a DDOS attack on my home DSL connection. Thousands of requests to port 80. I'm on an SBC business class account. I'm guessing that calling the regular customer support won't get me anywhere. Any suggestions?
Re: Request for contact and procedure information
On Thu, Jul 09, 2009, Charles Wyble wrote: I did. Still getting pounded. And its not covered by your SLA? Adrian
Re: Request for contact and procedure information
Have you spoken with your provider? They should be giving you options, like changing your static address, or null routing the attackers upstream, or perhaps blocking port 80 to you, to limit your ingress traffic. - Dan Charles Wyble wrote: I did. Still getting pounded. John Peach wrote: Turn off whatever you have listening on port 80.
Re: Request for contact and procedure information
Dude, he's on SBC man. They're not going to do anything but tell him to restart the modem. On Thu, Jul 9, 2009 at 9:42 PM, Dan Whitedwh...@olp.net wrote: Have you spoken with your provider? They should be giving you options, like changing your static address, or null routing the attackers upstream, or perhaps blocking port 80 to you, to limit your ingress traffic. - Dan Charles Wyble wrote: I did. Still getting pounded. John Peach wrote: Turn off whatever you have listening on port 80.
Re: Request for contact and procedure information
Dan White wrote: Have you spoken with your provider? They should be giving you options, like changing your static address, or null routing the attackers upstream, or perhaps blocking port 80 to you, to limit your ingress traffic. For DSL? I've never had that kind of luck with SBC's (now ATT) home products, and I've been using their DSL since 2001. This is one instance where paying the big bucks for at least a T1 can show some some return. Even if it's business DSL it's still treated the same as drooling user DSL. Purely my personal experience. ~Seth
Re: Request for contact and procedure information
Good, Fast, Cheap, pick any two. Consumer grade ATT DSL is fast and cheap, and now you realize why Good is not included when you go with Fast and Cheap. jc Charles Wyble wrote: All, I'm currently experiencing a DDOS attack on my home DSL connection. Thousands of requests to port 80. I'm on an SBC business class account. I'm guessing that calling the regular customer support won't get me anywhere. Any suggestions?
Re: Request for contact and procedure information
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jon Kibler wrote: Charles Wyble wrote: All, I'm currently experiencing a DDOS attack on my home DSL connection. Thousands of requests to port 80. I'm on an SBC business class account. I'm guessing that calling the regular customer support won't get me anywhere. Any suggestions? Okay, this is going to sound REALLY lame, but IMHO it may be your best bet to get action from SBC: 1) File a police report with your local law enforcement agency and (CRITICAL) get a case number. (You should have well documented when the attack started, too. If asked why you waited so long to report it, explain that you were not familiar with procedures. You may also be asked what you have that someone wants to attack. I don't know is an acceptable answer, if that is the truth.) When local law enforcement completes taking the report, request that your local law enforcement escalate the case to the local/regional FBI office (specifically mention InfraGuard). 2) Call your local FBI office and ask to speak to the InfraGuard coordinator. (If it is a small office, they may refer you to your regional office.) Tell them you are being DDOSed, that you have filed a report with local law enforcement (give them agency and case number), tell them who is your ISP and contact information, and tell them ISP has been uncooperative at resolution. Ask them can they please help -- at a minimum, can they contact the ISP and get them to start null routing DDOS traffic. Just out of curiosity, do you have any traffic capture? If so, what type of attack is it? SYN flood, Apache instance starvation, etc.? You may want to do some packet capture for hand-over to law enforcement. I know this sounds lame, but I also CONSTANTLY hear from InfraGuard that they want to be informed of these types of attacks, and they will help when resources permit. Don't expect miracles. But it is better than nothing. Finally, document, document, document!!! Jon I hate to reply to my own email... but as soon as I hit SEND, I realized I left off something important... You said you have Business Class DSL. Is this for a business? If so, have your lawyer contact SBC. S/he should request to talk with the department manager for small business services. That, too, may help get action. Be sure to provide him/her with written documentation on everything you can regarding the attack. The more information that s/he has, the better to beat up on SBC with. Finally, what does your TOS/SLA say about DDoS? Most have something to say about ISP liability in the mitigation of such attacks. GOOD LUCK! Jon - -- Jon R. Kibler Chief Technical Officer Advanced Systems Engineering Technology, Inc. Charleston, SC USA o: 843-849-8214 c: 843-813-2924 (NEW!) s: 843-564-4224 http://www.linkedin.com/in/jonrkibler My PGP Fingerprint is: BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.8 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkpWvU0ACgkQUVxQRc85QlO21wCffh5vK5V39ffWJGZPgoA4a9ii RpcAnjdVCx4l693Pw6vYz58xjZt//Cdx =UTXU -END PGP SIGNATURE- == Filtered by: TRUSTEM.COM's Email Filtering Service http://www.trustem.com/ No Spam. No Viruses. Just Good Clean Email.