http://staros.tog.net/wiki/List_of_APNIC_IP_Blocks
There is a more up to date list somewhere, but at a previous company I
worked for we ended up blocking lots of APNIC. Saw way too many
scans/hack-attempts/DOS from them. Occasionally had a customer (twice in
five years) complain about no access to their Russian/Asian bride sites
- in those cases we track down the server's IP or subnet and unblock.
Nick
On 8/2/2010 8:10 AM, Jeremie Chism wrote:
Thanks. I am looking into all of that now.
On Mon, Aug 2, 2010 at 9:44 AM, Glenn Kelley <gl...@hostmedic.com
<mailto:gl...@hostmedic.com>> wrote:
Jeremie
there are a few ways to investigate a suspect DOS attack.
First and foremost you want to take a peek at your incoming
connections.
Do you see a large influx of incoming traffic?
If so - are you able to identify where it is coming from?
Chances are if you know where it is coming from you can simply ask
your provider to null route the traffic ahead of you.
Commands like netstat -na can be a great friend in these cases if
you have the ability to place something in between the connections.
I personally love PFSense for this reason. PFSense can operate
as a transparent firewall (and many other things... ) But for
Free - it is an excellent tool - loads on virtually any x86
system with 2 NIC cards.
Anyhow - Folks that do Dos or DDos (Distributed Denial of
Service) generally attack port 80 as well as mail ports.
Many WISPs will keep port 80 open to the general public so they
can reach the radio's configuration windows.
While it is not something I would suggest - for a variety of
reasons - chances are the port 80 of a customers radio is what is
getting wacked.
Generally dDos come in as udp packets to other ports - simply
because of how UDP works - it does not cause them as much of an
issue as it would you.
So - a few commands might help here.
netstat -lpn | grep :80 | awk '{print $5}'|cut -d: -f 1|sort|uniq
-c|sort -nk 1
you can change the 80 above to any port you wish such as 25 for
smtp, 53 for dns/named , etc etc etc...
This should show you the # of connections from a specific IP.
If you have a small # of connections from very large numbers of IP
addresses - then chances are you might be under DDOS.
If there are a very large # of connections from just a few ip's
than it should be simple enough to ask the ISP to block or null
route those IP addresses.
One last note -
You might want to check the IP's against nslookup or use the
DNSStuff.com <http://DNSStuff.com> toolset.
I have helped a few through these over the years and when they
block the DNS servers many folks use like 208.67.222.222 or
8.8.8.8 it really stinks for folks... for sure.
So you want to make sure you are blocking the right thing of course.
Are you running anything like NTOP ? There are a few simple
things to have in place to watch incoming traffic when needed vs
hoping that it goes away...
Kick back to me if your lost - and we can go off list for some help
Glenn
On Aug 2, 2010, at 9:56 AM, Jeremie Chism wrote:
I noticed on Friday that everything I had seemed very slow. I
went through checking the usual things and found no problem.
After digging into everything I could put my hands on, I
resorted to calling my upstream to see if they noticed any
problems. They of course said no. At 430 that afternoon I got a
call from one of their "engineers" stating that they had
experienced a DOS attack that was affecting certain customers.
They made some changes and it actually seemed to work better
than before. Even my latency times had dropped. Today the
problem seems to be creeping back to the same way it was Friday.
My question is, is there a way to determine in the future that
this is happening. Is there something specific that would lead
me to the conclusion that in fact that is what is going on.
--
Jeremie Chism
TritonDataLink
--------------------------------------------------------------------------------
WISPA Wants You! Join today!
http://signup.wispa.org/
--------------------------------------------------------------------------------
WISPA Wireless List: wireless@wispa.org <mailto:wireless@wispa.org>
Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless
Archives: http://lists.wispa.org/pipermail/wireless/
_____________________________________________________________________________________
*Glenn Kelley | Principle | HostMedic |www.HostMedic.com
<http://www.HostMedic.com> *
Email: gl...@hostmedic.com <mailto:gl...@hostmedic.com>
Pplease don't print this e-mail unless you really need to.
--------------------------------------------------------------------------------
WISPA Wants You! Join today!
http://signup.wispa.org/
--------------------------------------------------------------------------------
WISPA Wireless List: wireless@wispa.org <mailto:wireless@wispa.org>
Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless
Archives: http://lists.wispa.org/pipermail/wireless/
--
Jeremie Chism
TritonDataLink
--------------------------------------------------------------------------------
WISPA Wants You! Join today!
http://signup.wispa.org/
--------------------------------------------------------------------------------
WISPA Wireless List: wireless@wispa.org
Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless
Archives: http://lists.wispa.org/pipermail/wireless/
--------------------------------------------------------------------------------
WISPA Wants You! Join today!
http://signup.wispa.org/
--------------------------------------------------------------------------------
WISPA Wireless List: wireless@wispa.org
Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless
Archives: http://lists.wispa.org/pipermail/wireless/